0003490
Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10
The Sustainability Accounting Standards Board
International or National Standard
With Membership
Internet Media & Services Sustainability Accounting Standard
Internet Media & Services Sustainability Accounting Standard, Version 2018-10
2018-10-01
The document as a whole was last reviewed and released on 2022-07-01T00:00:00-0700.
0003490
With Membership
The Sustainability Accounting Standards Board
International or National Standard
Internet Media & Services Sustainability Accounting Standard
Internet Media & Services Sustainability Accounting Standard, Version 2018-10
2018-10-01
The document as a whole was last reviewed and released on 2022-07-01T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and Risk Management | Preventive | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 [Disclosure shall include, but is not limited to: If the third-party verification of the use of cybersecurity risk management standards is conducted, including independent examinations or audits TC-IM-230a.2. 3.3.4] | Investigate | Detective | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 | Establish/Maintain Documentation | Corrective | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-220a.3 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-520a.1 2] | Actionable Reports or Measurements | Corrective | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology. TC-IM-230a.2. 2 The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology. TC-IM-230a.2. 2 The entity shall describe management's approach to addressing the risks it has identified related to recruiting foreign nationals, which may include developing local talent pools, political lobbying for immigration reform, outsourcing of operations, or joining or forming industry partnerships. Note to TC-IM-330a.1 2] | Establish/Maintain Documentation | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [Disclosure shall include, but is not limited to: The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and | Establish/Maintain Documentation | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
| Evaluate the cyber insurance market. CC ID 12695 | Business Processes | Preventive | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Business Processes | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The entity may provide disclosures by region or country. TC-IM-220a.6. 5] | Establish/Maintain Documentation | Preventive | |
| Include a summary of the questions and statements from surveys or studies in the disclosure report. CC ID 15631 [The entity shall briefly describe: A summary of questions or statements included in the survey or term_primary-noun">study (e.g., those related to goal setting, support to achieve goals, training and development, work processes, and commitment to the organization) Note to TC-IM-330a.2 1.3] | Establish/Maintain Documentation | Preventive | |
| Include a statement that confidential information has been omitted in the disclosure report. CC ID 16598 | Establish/Maintain Documentation | Preventive | |
| Include legal proceedings in the disclosure report. CC ID 15564 [{monetary loss} The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant :#F0BBBC;" class="term_primary-noun">industry regulations, such as: TC-IM-220a.3. 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: TC-IM-220a.3. 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: TC-IM-520a.1. 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant regulations, such as: TC-IM-520a.1. 5] | Establish/Maintain Documentation | Preventive | |
| Include the context of monetary losses from legal proceedings in the disclosure report. CC ID 15533 [The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., unauthorized monitoring, sharing of data, children's privacy) of all monetary losses as a result of legal proceedings. Note to TC-IM-220a.3 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., price fixing, patent misuse, anti-trust) of all monetary losses as a result of legal proceedings. Note to TC-IM-520a.1 1] | Establish/Maintain Documentation | Preventive | |
| Include the nature of monetary losses from legal proceedings in the disclosure report. CC ID 15532 [The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., unauthorized monitoring, sharing of data, children's privacy) of all monetary losses as a result of legal proceedings. Note to TC-IM-220a.3 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with incidents relating to user privacy. TC-IM-220a.3. 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., price fixing, patent misuse, anti-trust) of all monetary losses as a result of legal proceedings. Note to TC-IM-520a.1 1] | Establish/Maintain Documentation | Preventive | |
| Include goals and targets in the disclosure report. CC ID 16339 | Establish/Maintain Documentation | Preventive | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Establish/Maintain Documentation | Preventive | |
| Include the relationship between organizational requirements and external requirements in the disclosure report. CC ID 16154 | Establish/Maintain Documentation | Preventive | |
| Include external requirements in the disclosure report. CC ID 16150 | Establish/Maintain Documentation | Preventive | |
| Include the classification of risks and opportunities posed by climate change in the disclosure report. CC ID 16096 | Establish/Maintain Documentation | Preventive | |
| Include board oversight of risks and opportunities in the disclosure report. CC ID 16337 | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the disclosure report. CC ID 16058 | Establish/Maintain Documentation | Preventive | |
| Include the risk management strategy in the disclosure report. CC ID 16348 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment procedures in the disclosure report. CC ID 16343 | Establish/Maintain Documentation | Preventive | |
| Include the organization's primary activities in the disclosure report. CC ID 16043 | Establish/Maintain Documentation | Preventive | |
| Include business operations owned by the organization in the disclosure report. CC ID 15614 | Establish/Maintain Documentation | Preventive | |
| Include critical business operations that support cloud services in the disclosure report. CC ID 15612 | Establish/Maintain Documentation | Preventive | |
| Include the relationship between the tax strategy and the organizational strategy in the disclosure report. CC ID 16035 | Establish/Maintain Documentation | Preventive | |
| Include reference to assurance statements in the disclosure report. CC ID 16033 | Establish/Maintain Documentation | Preventive | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the disclosure report. CC ID 15916 | Establish/Maintain Documentation | Preventive | |
| Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632 [{racial group representation} The entity shall disclose gender representation for all employees and racial/ethnic group representation for its U.S. employees by employee category. TC-IM-330a.3. 1 {gender representation}{racial group representation} The entity may disclose gender and/or racial/ethnic group representation by employee category in the following table formats: TC-IM-330a.3. 9] | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952 [{racial group representation} The entity shall disclose gender representation for all employees and racial/ethnic group representation for its U.S. employees by employee category. TC-IM-330a.3. 1 {gender representation}{racial group representation} The entity may disclose gender and/or racial/ethnic group representation by employee category in the following table formats: TC-IM-330a.3. 9] | Actionable Reports or Measurements | Detective | |
| Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals in each region in the disclosure report. CC ID 15835 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals in each gender category in the disclosure report. CC ID 15633 | Establish/Maintain Documentation | Preventive | |
| Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869 | Establish/Maintain Documentation | Preventive | |
| Include the total number of incidents of discrimination in the disclosure report. CC ID 15788 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870 | Establish/Maintain Documentation | Preventive | |
| Include metrics criteria in the disclosure report. CC ID 16143 | Establish/Maintain Documentation | Preventive | |
| Include risk management metrics in the disclosure report. CC ID 16345 | Establish/Maintain Documentation | Preventive | |
| Include financial management metrics in the disclosure report. CC ID 16042 | Establish/Maintain Documentation | Preventive | |
| Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101 | Actionable Reports or Measurements | Detective | |
| Include revenues in the disclosure report. CC ID 16099 | Actionable Reports or Measurements | Detective | |
| Include the economic value distributed in the disclosure report. CC ID 16086 | Actionable Reports or Measurements | Detective | |
| Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092 | Actionable Reports or Measurements | Detective | |
| Include total monetary value of payments to governments in the disclosure report. CC ID 16091 | Actionable Reports or Measurements | Detective | |
| Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090 | Actionable Reports or Measurements | Detective | |
| Include total monetary value of community investments in the disclosure report. CC ID 16089 | Actionable Reports or Measurements | Detective | |
| Include operating costs in the disclosure report. CC ID 16088 | Actionable Reports or Measurements | Detective | |
| Include economic value retained in the disclosure report. CC ID 16094 | Actionable Reports or Measurements | Detective | |
| Include the direct economic value generated and distributed in the disclosure report. CC ID 16085 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105 | Actionable Reports or Measurements | Detective | |
| Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104 | Establish/Maintain Documentation | Preventive | |
| Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095 | Actionable Reports or Measurements | Detective | |
| Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048 | Actionable Reports or Measurements | Detective | |
| Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046 | Actionable Reports or Measurements | Detective | |
| Include revenues from third party sales in the disclosure report. CC ID 16045 | Actionable Reports or Measurements | Detective | |
| Include the profit and loss before tax in the disclosure report. CC ID 16044 | Actionable Reports or Measurements | Detective | |
| Include metrics on anti-corruption in the disclosure report. CC ID 16052 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073 | Actionable Reports or Measurements | Detective | |
| Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072 | Actionable Reports or Measurements | Detective | |
| Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071 | Actionable Reports or Measurements | Detective | |
| Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070 | Actionable Reports or Measurements | Detective | |
| Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069 | Actionable Reports or Measurements | Detective | |
| Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068 | Actionable Reports or Measurements | Detective | |
| Include the total number of incidents of corruption in the disclosure report. CC ID 16066 | Actionable Reports or Measurements | Detective | |
| Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063 | Actionable Reports or Measurements | Detective | |
| Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062 | Actionable Reports or Measurements | Detective | |
| Include environmental management metrics in the disclosure report. CC ID 16012 | Establish/Maintain Documentation | Preventive | |
| Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038 | Actionable Reports or Measurements | Detective | |
| Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041 | Establish/Maintain Documentation | Preventive | |
| Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032 | Actionable Reports or Measurements | Detective | |
| Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023 | Actionable Reports or Measurements | Detective | |
| Include metrics on procurement practices in the disclosure report. CC ID 16011 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022 | Actionable Reports or Measurements | Detective | |
| Include emissions management metrics in the disclosure report. CC ID 15987 | Establish/Maintain Documentation | Preventive | |
| Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340 | Actionable Reports or Measurements | Detective | |
| Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083 | Actionable Reports or Measurements | Detective | |
| Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081 | Actionable Reports or Measurements | Detective | |
| Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079 | Actionable Reports or Measurements | Detective | |
| Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013 | Actionable Reports or Measurements | Detective | |
| Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009 | Actionable Reports or Measurements | Detective | |
| Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146 | Actionable Reports or Measurements | Detective | |
| Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008 | Actionable Reports or Measurements | Detective | |
| Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007 | Actionable Reports or Measurements | Detective | |
| Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006 | Actionable Reports or Measurements | Detective | |
| Include the total amount of significant air emissions in the disclosure report. CC ID 16005 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of particulate matter in the disclosure report. CC ID 16077 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076 | Actionable Reports or Measurements | Detective | |
| Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004 | Actionable Reports or Measurements | Detective | |
| Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999 | Actionable Reports or Measurements | Detective | |
| Include compliance metrics in the disclosure report. CC ID 15932 | Establish/Maintain Documentation | Preventive | |
| Include the total number of legal actions against the organization in the disclosure report. CC ID 16003 | Actionable Reports or Measurements | Detective | |
| Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950 | Actionable Reports or Measurements | Detective | |
| Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548 [The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with anti-competitive behavior such as those related to enforcement of laws and regulations on price fixing, anti-trust behavior (e.g., exclusivity contracts), patent misuse, or network effects and bundling of services and products to limit competition. TC-IM-520a.1. 1] | Establish/Maintain Documentation | Preventive | |
| Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813 | Establish/Maintain Documentation | Preventive | |
| Include metrics on labor-management relations in the disclosure report. CC ID 15935 | Establish/Maintain Documentation | Preventive | |
| Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895 | Establish/Maintain Documentation | Preventive | |
| Include waste management metrics in the disclosure report. CC ID 15925 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163 | Actionable Reports or Measurements | Detective | |
| Include the total volume of significant spills in the disclosure report. CC ID 16010 | Actionable Reports or Measurements | Detective | |
| Include the total number of significant spills in the disclosure report. CC ID 15965 | Actionable Reports or Measurements | Detective | |
| Include the total weight of waste generated in the disclosure report. CC ID 15778 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of waste generated in the disclosure report. CC ID 15775 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776 | Establish/Maintain Documentation | Preventive | |
| Include product and service management metrics in the disclosure report. CC ID 15917 | Establish/Maintain Documentation | Preventive | |
| Include the performance qualification score of laptops in the disclosure report. CC ID 16176 | Actionable Reports or Measurements | Detective | |
| Include the battery life score of laptops in the disclosure report. CC ID 16175 | Actionable Reports or Measurements | Detective | |
| Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174 | Actionable Reports or Measurements | Detective | |
| Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172 | Actionable Reports or Measurements | Detective | |
| Include the energy efficiency of server processors in the disclosure report. CC ID 16170 | Actionable Reports or Measurements | Detective | |
| Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162 | Actionable Reports or Measurements | Detective | |
| Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159 | Actionable Reports or Measurements | Detective | |
| Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160 | Actionable Reports or Measurements | Detective | |
| Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157 | Actionable Reports or Measurements | Detective | |
| Include the average actual sustained download speed in the disclosure report. CC ID 15568 | Actionable Reports or Measurements | Detective | |
| Include the number of products and services provided by the organization in the disclosure report. CC ID 15833 | Establish/Maintain Documentation | Preventive | |
| Include the average advertised download speed in the disclosure report. CC ID 15567 | Actionable Reports or Measurements | Detective | |
| Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811 | Establish/Maintain Documentation | Preventive | |
| Include water management metrics in the disclosure report. CC ID 15924 | Establish/Maintain Documentation | Preventive | |
| Include the total water withdrawal in the disclosure report. CC ID 15593 [The entity shall disclose the amount of water, in thousands of cubic meters, that was withdrawn from all sources. TC-IM-130a.2. 1] | Establish/Maintain Documentation | Preventive | |
| Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of water withdrawal in the disclosure report. CC ID 15795 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949 [{level}{be higher} The entity shall disclose its water withdrawn in locations with High or Extremely High d-color:#F0BBBC;" class="term_primary-noun">Baseline Water Stress as a percentage of the total water withdrawn. TC-IM-130a.2. 5] | Actionable Reports or Measurements | Detective | |
| Include the total water discharge in the disclosure report. CC ID 15758 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of water discharge in the disclosure report. CC ID 15759 | Establish/Maintain Documentation | Preventive | |
| Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948 [{level}{be higher} The entity shall disclose its water consumed in locations with High or Extremely High -color:#F0BBBC;" class="term_primary-noun">Baseline Water Stress as a percentage of the total water consumed. TC-IM-130a.2. 6] | Actionable Reports or Measurements | Detective | |
| Include the total water consumption in the disclosure report. CC ID 15642 [{saltwater} The entity may disclose portions of its supply by "background-color:#F0BBBC;" class="term_primary-noun">source if, for example, significant portions of withdrawals are from non-freshwater sources. TC-IM-130a.2. 2 The entity shall disclose the amount of water, in thousands of cubic meters, that was consumed in its operations. TC-IM-130a.2. 3] | Establish/Maintain Documentation | Preventive | |
| Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598 | Establish/Maintain Documentation | Preventive | |
| Include the total number of complaints received in the disclosure report. CC ID 15728 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643 [If results are limited to a subset of employees, the entity shall include the percentage of employees included in the study or survey and the representativeness of the sample. Note to TC-IM-330a.2 3 If results are limited to a subset of employees, the entity shall include the percentage of employees included in the study or survey and the representativeness of the sample. Note to TC-IM-330a.2 3] | Establish/Maintain Documentation | Preventive | |
| Include employment practices metrics in the disclosure report. CC ID 15921 | Establish/Maintain Documentation | Preventive | |
| Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228 | Actionable Reports or Measurements | Detective | |
| Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108 | Actionable Reports or Measurements | Detective | |
| Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103 | Actionable Reports or Measurements | Detective | |
| Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002 | Actionable Reports or Measurements | Detective | |
| Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001 | Actionable Reports or Measurements | Detective | |
| Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622 [The entity shall disclose the percentage of employees that are foreign nationals. TC-IM-330a.1. 1] | Actionable Reports or Measurements | Preventive | |
| Include the percentage of employee engagement in the disclosure report. CC ID 15634 [The entity shall disclose employee engagement as a percentage. TC-IM-330a.2. 1] | Actionable Reports or Measurements | Preventive | |
| Include the percentage of offshore employees in the disclosure report. CC ID 15623 | Actionable Reports or Measurements | Preventive | |
| Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931 | Actionable Reports or Measurements | Detective | |
| Include the rate of new employee hires in the disclosure report. CC ID 15928 | Actionable Reports or Measurements | Detective | |
| Include the rate of employee turnover in the disclosure report. CC ID 15898 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees who left the organization in the disclosure report. CC ID 16127 | Actionable Reports or Measurements | Detective | |
| Include the total number of new employee hires in the disclosure report. CC ID 15896 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees in the disclosure report. CC ID 15834 | Establish/Maintain Documentation | Preventive | |
| Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214 | Actionable Reports or Measurements | Detective | |
| Include metrics on parental leave in the disclosure report. CC ID 15936 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960 | Actionable Reports or Measurements | Detective | |
| Include the total number of employees that took parental leave in the disclosure report. CC ID 15955 | Actionable Reports or Measurements | Detective | |
| Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946 | Actionable Reports or Measurements | Detective | |
| Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958 | Actionable Reports or Measurements | Detective | |
| Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962 | Actionable Reports or Measurements | Detective | |
| Include the number of hours worked in the disclosure report. CC ID 15910 | Establish/Maintain Documentation | Preventive | |
| Include metrics on public policy advocacy in the disclosure report. CC ID 15947 | Establish/Maintain Documentation | Preventive | |
| Include the total monetary value of political contributions in the disclosure report. CC ID 15803 | Establish/Maintain Documentation | Preventive | |
| Include metrics on training and education in the disclosure report. CC ID 15940 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877 | Establish/Maintain Documentation | Preventive | |
| Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726 | Actionable Reports or Measurements | Preventive | |
| Include operational metrics in the disclosure report. CC ID 15939 | Establish/Maintain Documentation | Preventive | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Establish/Maintain Documentation | Preventive | |
| Include the user average interruption duration in the disclosure report. CC ID 15558 | Actionable Reports or Measurements | Detective | |
| Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618 | Establish/Maintain Documentation | Preventive | |
| Include the system average interruption frequency in the disclosure report. CC ID 15565 | Actionable Reports or Measurements | Detective | |
| Include the total user downtime in the disclosure report. CC ID 15635 | Actionable Reports or Measurements | Preventive | |
| Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606 | Establish/Maintain Documentation | Preventive | |
| Include the total number of operations performed by the organization in the disclosure report. CC ID 15831 | Establish/Maintain Documentation | Preventive | |
| Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649 [{content removal request} The entity shall disclose the percentage of the requests from government or law enforcement agencies to remove content where the entity complied with the issuing agencies to remove content. TC-IM-220a.6. 2] | Actionable Reports or Measurements | Preventive | |
| Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500 | Actionable Reports or Measurements | Detective | |
| Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792 | Actionable Reports or Measurements | Preventive | |
| Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557 [The entity shall disclose the number of unique users whose information is used for secondary purposes. TC-IM-220a.2. 1 The scope of disclosure shall include the users whose information is used by the entity itself for secondary purposes as well as the users whose information is provided to affiliates or non-affiliates to use for secondary purposes. TC-IM-220a.2. 2] | Establish/Maintain Documentation | Preventive | |
| Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560 [{government request} The entity shall disclose (3) the percentage of government and law enforcement requests that resulted in disclosure to the ss="term_primary-noun">requesting party. TC-IM-220a.4. 3] | Actionable Reports or Measurements | Detective | |
| Include the number of content removal requests in the disclosure report. CC ID 15647 [The entity shall disclose the number of requests to remove content it received from government or law enforcement agencies. TC-IM-220a.6. 1] | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Establish/Maintain Documentation | Preventive | |
| Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542 [The entity shall disclose (1) the total number of unique requests for user information, including user content and non-content data, from government or law enforcement agencies. TC-IM-220a.4. 1 The entity shall disclose (2) the total number of unique users whose information was requested by government or law enforcement agencies. TC-IM-220a.4. 2] | Establish/Maintain Documentation | Preventive | |
| Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951 [The entity shall disclose (3) the total number of unique users who were affected by data breaches, which includes all those whose personal data was compromised in a data breach. TC-IM-230a.1. 3] | Actionable Reports or Measurements | Detective | |
| Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543 [The entity shall disclose (2) the percentage of data breaches in which personally identifiable information (PII) was subject to the data breach. TC-IM-230a.1. 2] | Establish/Maintain Documentation | Preventive | |
| Include third party management metrics in the disclosure report. CC ID 15923 | Establish/Maintain Documentation | Preventive | |
| Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837 | Establish/Maintain Documentation | Preventive | |
| Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883 | Establish/Maintain Documentation | Preventive | |
| Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886 | Establish/Maintain Documentation | Preventive | |
| Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216 | Actionable Reports or Measurements | Detective | |
| Include metrics on supplier social assessments in the disclosure report. CC ID 15938 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808 | Establish/Maintain Documentation | Preventive | |
| Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805 | Establish/Maintain Documentation | Preventive | |
| Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810 | Establish/Maintain Documentation | Preventive | |
| Include customer health and safety management metrics in the disclosure report. CC ID 15922 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814 | Establish/Maintain Documentation | Preventive | |
| Include energy management metrics in the disclosure report. CC ID 15920 | Establish/Maintain Documentation | Preventive | |
| Include the total energy reduction in the disclosure report. CC ID 15749 | Establish/Maintain Documentation | Preventive | |
| Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751 | Establish/Maintain Documentation | Preventive | |
| Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750 | Establish/Maintain Documentation | Preventive | |
| Include the power usage effectiveness in the disclosure report. CC ID 15552 [The entity may disclose the trailing twelve-month (TTM) weighted average power usage effectiveness (PUE) for its data centers. TC-IM-130a.1. 5] | Actionable Reports or Measurements | Detective | |
| Include the total heating sold in the disclosure report. CC ID 15739 | Establish/Maintain Documentation | Preventive | |
| Include the energy intensity ratio in the disclosure report. CC ID 15735 | Actionable Reports or Measurements | Preventive | |
| Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746 | Establish/Maintain Documentation | Preventive | |
| Include the total electricity sold in the disclosure report. CC ID 15740 | Establish/Maintain Documentation | Preventive | |
| Include the total energy consumption in the disclosure report. CC ID 15506 [The entity shall disclose (1) the total amount of energy it consumed as an aggregate figure, in gigajoules (GJ). TC-IM-130a.1. 1] | Establish/Maintain Documentation | Preventive | |
| Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744 | Establish/Maintain Documentation | Preventive | |
| Include the total heating consumption in the disclosure report. CC ID 15743 | Establish/Maintain Documentation | Preventive | |
| Include the total cooling sold in the disclosure report. CC ID 15738 | Establish/Maintain Documentation | Preventive | |
| Include the total cooling consumption in the disclosure report. CC ID 15742 | Establish/Maintain Documentation | Preventive | |
| Include the total steam sold in the disclosure report. CC ID 15737 | Establish/Maintain Documentation | Preventive | |
| Include the total steam consumption in the disclosure report. CC ID 15741 | Establish/Maintain Documentation | Preventive | |
| Include the fuel types used in the disclosure report. CC ID 15745 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549 [The entity shall disclose (3) the percentage of energy it consumed that is renewable energy. TC-IM-130a.1. 3] | Actionable Reports or Measurements | Detective | |
| Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541 [The entity shall disclose (2) the percentage of energy it consumed that was supplied from grid electricity. TC-IM-130a.1. 2] | Actionable Reports or Measurements | Detective | |
| Include materials management metrics in the disclosure report. CC ID 15919 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563 | Actionable Reports or Measurements | Detective | |
| Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574 | Actionable Reports or Measurements | Detective | |
| Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562 | Establish/Maintain Documentation | Preventive | |
| Include the weight of recovered materials in the disclosure report. CC ID 16203 | Actionable Reports or Measurements | Detective | |
| Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578 | Actionable Reports or Measurements | Detective | |
| Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792 | Establish/Maintain Documentation | Preventive | |
| Include occupational health and safety management metrics in the disclosure report. CC ID 15918 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891 | Establish/Maintain Documentation | Preventive | |
| Include the total number of work-related injuries in the disclosure report. CC ID 15899 | Establish/Maintain Documentation | Preventive | |
| Include the number of cases of work-related ill health in the disclosure report. CC ID 15914 | Establish/Maintain Documentation | Preventive | |
| Include the rate of work-related injuries in the disclosure report. CC ID 15944 | Actionable Reports or Measurements | Detective | |
| Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943 | Actionable Reports or Measurements | Detective | |
| Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207 | Actionable Reports or Measurements | Detective | |
| Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954 | Actionable Reports or Measurements | Detective | |
| Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942 | Actionable Reports or Measurements | Detective | |
| Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953 | Actionable Reports or Measurements | Detective | |
| Include outsourcing arrangements in the disclosure report. CC ID 15621 [{environmental considerations} The scope of disclosure includes considerations for existing owned data centers, development of new data centers, and outsourcing of y-noun">data center services, where relevant. TC-IM-130a.3. 3] | Establish/Maintain Documentation | Preventive | |
| Include business operations outsourced to third parties in the disclosure report. CC ID 15616 | Establish/Maintain Documentation | Preventive | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Establish/Maintain Documentation | Preventive | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Establish/Maintain Documentation | Preventive | |
| Include the content removal policy in the disclosure report. CC ID 15650 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3 The entity may break out categories of request type (e.g., copyright takedown notices, illegal hate speech). TC-IM-220a.6. 4] | Establish/Maintain Documentation | Preventive | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Establish/Maintain Documentation | Preventive | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Establish/Maintain Documentation | Preventive | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Establish/Maintain Documentation | Preventive | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 [The scope of content removal requests includes, but is not limited to, instances where the content is restricted in one or more markets the entity operates in, but not others. TC-IM-220a.6. 1.1 {content removal request} The scope of requests the entity complied with shall include requests that resulted in full or partial compliance with the disclosure request within the reporting period. TC-IM-220a.6. 2.2] | Establish/Maintain Documentation | Preventive | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Establish/Maintain Documentation | Preventive | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Establish/Maintain Documentation | Preventive | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Establish/Maintain Documentation | Preventive | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Establish/Maintain Documentation | Preventive | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Establish/Maintain Documentation | Preventive | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 [Where relevant, the entity shall discuss its policies and practices related to freedom of expression, including how they influence its decision making when operating in countries that may request or require some form of monitoring, blocking, content filtering, or censoring of the entity's content. Note to TC-IM-220a.5 4 Where relevant, the entity shall discuss its policies and practices related to freedom of expression, including how they influence its decision making when operating in countries that may request or require some form of monitoring, blocking, content filtering, or censoring of the entity's content. Note to TC-IM-220a.5 4] | Establish/Maintain Documentation | Preventive | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Establish/Maintain Documentation | Preventive | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 [{government request}{law enforcement request}{user information} The scope of requests that resulted in disclosure shall include requests that resulted in full or partial compliance with the disclosure request within the reporting period. TC-IM-220a.4. 3.2] | Establish/Maintain Documentation | Preventive | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 [The scope of disclosure shall include the users whose information is used by the entity itself for secondary purposes as well as the users whose information is provided to affiliates or non-affiliates to use for secondary purposes. TC-IM-220a.2. 2] | Establish/Maintain Documentation | Preventive | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 [The scope of this requests that resulted in disclosure shall include disclosure of aggregated, de-identified, and anonymized data, which is intended to prevent the recipient from reconfiguring the data to identify an individual's actions or identity. TC-IM-220a.4. 3.3] | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Establish/Maintain Documentation | Preventive | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Establish/Maintain Documentation | Preventive | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Establish/Maintain Documentation | Preventive | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Establish/Maintain Documentation | Preventive | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Establish/Maintain Documentation | Preventive | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Establish/Maintain Documentation | Preventive | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Establish/Maintain Documentation | Preventive | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Establish/Maintain Documentation | Preventive | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Establish/Maintain Documentation | Preventive | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Establish/Maintain Documentation | Preventive | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Establish/Maintain Documentation | Preventive | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Establish/Maintain Documentation | Preventive | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Establish/Maintain Documentation | Preventive | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Establish/Maintain Documentation | Preventive | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Establish/Maintain Documentation | Preventive | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Establish/Maintain Documentation | Preventive | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Establish/Maintain Documentation | Preventive | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Establish/Maintain Documentation | Preventive | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Establish/Maintain Documentation | Preventive | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Establish/Maintain Documentation | Preventive | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Establish/Maintain Documentation | Preventive | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Establish/Maintain Documentation | Preventive | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Establish/Maintain Documentation | Preventive | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Establish/Maintain Documentation | Preventive | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Establish/Maintain Documentation | Preventive | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Establish/Maintain Documentation | Preventive | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Establish/Maintain Documentation | Preventive | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Establish/Maintain Documentation | Preventive | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Establish/Maintain Documentation | Preventive | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 [{environmental considerations} The scope of disclosure includes considerations for existing owned _primary-noun">d"background-color:#CBD0E5;" class="term_secondary-verb">ata centers, development of new data centers, and outsourcing of data center services, where relevant. TC-IM-130a.3. 3] | Establish/Maintain Documentation | Preventive | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 [The scope of this disclosure includes company operations that have been discontinued, or were never offered, in a region due to government activity related to monitoring, blocking, content filtering, or censoring. TC-IM-220a.5. 2 {governmental body}{judicial authority} The entity shall disclose a list of the countries where its products and services are monitored, blocked, content is filtered, or censored due to governmental, judicial, or law enforcement requests or requirements, where: TC-IM-220a.5. 1] | Establish/Maintain Documentation | Preventive | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Establish/Maintain Documentation | Preventive | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 [The entity may discuss implications of blocking or censorship, such as affecting ability to grow market share, or increased costs to comply with these restrictions. Note to TC-IM-220a.5 2] | Establish/Maintain Documentation | Preventive | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall nd-color:#B7D8ED;" class="term_primary-verb">identify</span> the product or service ="background-color:#CBD0E5;" class="term_secondary-verb">affected and discuss the nature of the modification, indicating whether modification was undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its home country or other significant markets. Note to TC-IM-220a.5 3] | Establish/Maintain Documentation | Preventive | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall identify the product or service affected and rm_primary-verb">discuss the round-color:#F0BBBC;" class="term_primary-noun">nature of the modification, indicating whether modification was term_secondary-verb">undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its home country or other significant markets. Note to TC-IM-220a.5 3] | Establish/Maintain Documentation | Preventive | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall identify the product or service affected and discuss the nature of the modification, indicating whether modification was undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its <span style="background-color:#F0BBBC;" class="term_primary-noun">home country or other significant markets. Note to TC-IM-220a.5 3] | Establish/Maintain Documentation | Preventive | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Establish/Maintain Documentation | Preventive | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Establish/Maintain Documentation | Preventive | |
| Include the employee representation program in the disclosure report. CC ID 15628 [The entity shall describe its policies and programs for fostering equitable employee representation across its global operations. Note to TC-IM-330a.3 1] | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Establish/Maintain Documentation | Preventive | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Establish/Maintain Documentation | Preventive | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Establish/Maintain Documentation | Preventive | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Establish/Maintain Documentation | Preventive | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Establish/Maintain Documentation | Preventive | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Establish/Maintain Documentation | Preventive | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Establish/Maintain Documentation | Preventive | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Establish/Maintain Documentation | Preventive | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Establish/Maintain Documentation | Preventive | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Establish/Maintain Documentation | Preventive | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Establish/Maintain Documentation | Preventive | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Establish/Maintain Documentation | Preventive | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Establish/Maintain Documentation | Preventive | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Establish/Maintain Documentation | Preventive | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Establish/Maintain Documentation | Preventive | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Establish/Maintain Documentation | Preventive | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 [The entity shall describe potential risks from recruiting foreign nationals, which may arise from immigration, naturalization, or visa regulations. Note to TC-IM-330a.1 1] | Establish/Maintain Documentation | Preventive | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Establish/Maintain Documentation | Preventive | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Establish/Maintain Documentation | Preventive | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Establish/Maintain Documentation | Preventive | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Establish/Maintain Documentation | Preventive | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Establish/Maintain Documentation | Preventive | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Establish/Maintain Documentation | Preventive | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Establish/Maintain Documentation | Preventive | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Establish/Maintain Documentation | Preventive | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Establish/Maintain Documentation | Preventive | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 | Establish/Maintain Documentation | Preventive | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Establish/Maintain Documentation | Preventive | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Establish/Maintain Documentation | Preventive | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Establish/Maintain Documentation | Preventive | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Establish/Maintain Documentation | Preventive | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Establish/Maintain Documentation | Preventive | |
| Include the material of spills in the disclosure report. CC ID 15968 | Establish/Maintain Documentation | Preventive | |
| Include the location of spills in the disclosure report. CC ID 15964 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Establish/Maintain Documentation | Preventive | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Establish/Maintain Documentation | Preventive | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Establish/Maintain Documentation | Preventive | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Establish/Maintain Documentation | Preventive | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 [{hydropower source}{relevant authority}For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited to the following: Energy from hydro sources is round-color:#B7D8ED;" class="term_primary-verb">limited to those that are m_secondary-verb">certified by the Low Impact Hydropower Institute or that are eligible for a state Renewable Portfolio Standard; TC-IM-130a.1. 3.4.1 {hydropower source}For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited to the following: Energy from biomass sources is limited to materials r:#CBD0E5;" class="term_secondary-verb">certified to a third-party standard (e.g., Forest Stewardship Council, Sustainable Forest Initiative, Programme for the Endorsement of Forest Certification, or American Tree Farm System), materials considered eligible sources of supply according to the Green-e Framework for Renewable Energy Certification, Version 1.0 (2017) or Green-e regional standards, and/or materials that are eligible for an applicable state renewable portfolio standard. TC-IM-130a.1. 3.4.2 For any renewable electricity generated on-site, any RECs and GOs must be retained (i.e., not sold) and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. TC-IM-130a.1. 3.3.1 For renewable PPAs and green power products, the agreement must explicitly include and convey that RECs and GOs be retained or replaced and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. TC-IM-130a.1. 3.3.2 The scope of renewable energy includes renewable fuel the entity consumed, renewable energy the entity directly produced, and renewable energy the entity purchased, if purchased through a renewable power purchase agreement (PPA) that explicitly includes renewable energy certificates (RECs) or Guarantees of Origin (GOs), a Green e Energy Certified utility or supplier program, or other green power products that explicitly ‐ include RECs or GOs, or for which Green e Energy Certified RECs are paired with grid electricity. TC-IM-130a.1. 3.3] | Establish/Maintain Documentation | Preventive | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 [The scope of energy consumption includes energy from all sources, including energy purchased from sources external to the entity and energy produced by the entity itself (self-generated). For example, direct fuel usage, purchased electricity, and heating, cooling, and steam energy are all included within the scope of energy consumption. TC-IM-130a.1. 1.1 The scope of energy consumption includes only energy directly consumed by the entity during the reporting period. TC-IM-130a.1. 1.2 The renewable portion of the electricity grid mix that is outside of the control or influence of the entity is excluded from the scope of renewable energy. TC-IM-130a.1. 3.3.3] | Establish/Maintain Documentation | Preventive | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Establish/Maintain Documentation | Preventive | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Process or Activity | Preventive | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Establish/Maintain Documentation | Preventive | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Establish/Maintain Documentation | Preventive | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Establish/Maintain Documentation | Preventive | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Establish/Maintain Documentation | Preventive | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Establish/Maintain Documentation | Preventive | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Establish/Maintain Documentation | Preventive | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Establish/Maintain Documentation | Preventive | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Establish/Maintain Documentation | Preventive | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Establish/Maintain Documentation | Preventive | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Establish/Maintain Documentation | Preventive | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Establish/Maintain Documentation | Preventive | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Establish/Maintain Documentation | Preventive | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Establish/Maintain Documentation | Preventive | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Establish/Maintain Documentation | Preventive | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Establish/Maintain Documentation | Preventive | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Establish/Maintain Documentation | Preventive | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Establish/Maintain Documentation | Preventive | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Establish/Maintain Documentation | Preventive | |
| Include trends in incident type in the disclosure report. CC ID 15510 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Establish/Maintain Documentation | Preventive | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Establish/Maintain Documentation | Preventive | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Establish/Maintain Documentation | Preventive | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Establish/Maintain Documentation | Preventive | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Establish/Maintain Documentation | Preventive | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Establish/Maintain Documentation | Preventive | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Establish/Maintain Documentation | Preventive | |
| Include water quality standards in the disclosure report. CC ID 15756 | Establish/Maintain Documentation | Preventive | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Establish/Maintain Documentation | Preventive | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 [The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. TC-IM-230a.1. 2.2] | Establish/Maintain Documentation | Preventive | |
| Include recycling in the disclosure report. CC ID 15579 | Establish/Maintain Documentation | Preventive | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Establish/Maintain Documentation | Preventive | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Establish/Maintain Documentation | Preventive | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Establish/Maintain Documentation | Preventive | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Establish/Maintain Documentation | Preventive | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Establish/Maintain Documentation | Preventive | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Establish/Maintain Documentation | Preventive | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Establish/Maintain Documentation | Preventive | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 [{disclose}{monetary loss} The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). TC-IM-220a.3. 3 {disclose}{monetary loss} The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). TC-IM-520a.1. 3] | Establish/Maintain Documentation | Preventive | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 [{first-party advertising} The scope of disclosure includes both first- and third-party advertising. TC-IM-220a.1. 5] | Establish/Maintain Documentation | Preventive | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Establish/Maintain Documentation | Preventive | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Establish/Maintain Documentation | Preventive | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Establish/Maintain Documentation | Preventive | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Establish/Maintain Documentation | Preventive | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 [The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. TC-IM-230a.1. 2.2] | Establish/Maintain Documentation | Preventive | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 [The scope of disclosure is limited to data breaches that resulted in a deviation from the entity's expected outcomes for confidentiality and/or integrity. TC-IM-230a.1. 1.2] | Establish/Maintain Documentation | Preventive | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 [The scope of disclosure is limited to breaches in which users were notified of the breach, either as required by law or voluntarily by the entity. TC-IM-230a.1. 2.3] | Establish/Maintain Documentation | Preventive | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Establish/Maintain Documentation | Preventive | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Establish/Maintain Documentation | Preventive | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Establish/Maintain Documentation | Preventive | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 [{legal fee} The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its ss="term_primary-noun">defense. TC-IM-220a.3. 4 {legal fee} The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its ss="term_primary-noun">defense. TC-IM-520a.1. 4] | Establish/Maintain Documentation | Preventive | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Establish/Maintain Documentation | Preventive | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1 The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Establish/Maintain Documentation | Preventive | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Establish/Maintain Documentation | Preventive | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Establish/Maintain Documentation | Preventive | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the disclosure report. CC ID 15668 | Establish/Maintain Documentation | Preventive | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Establish/Maintain Documentation | Preventive | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 | Establish/Maintain Documentation | Preventive | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 | Establish/Maintain Documentation | Preventive | |
| Include a list of material topics in the disclosure report. CC ID 15656 | Establish/Maintain Documentation | Preventive | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Establish/Maintain Documentation | Preventive | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Establish/Maintain Documentation | Preventive | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Establish/Maintain Documentation | Preventive | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 | Establish/Maintain Documentation | Preventive | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 | Establish/Maintain Documentation | Preventive | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 | Establish/Maintain Documentation | Preventive | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Establish/Maintain Documentation | Preventive | |
| Include the impact duration in the disclosure report. CC ID 16036 | Establish/Maintain Documentation | Preventive | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Establish/Maintain Documentation | Preventive | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 | Establish/Maintain Documentation | Preventive | |
| Refrain from including the same data in other required disclosures, as necessary. CC ID 15732 | Establish/Maintain Documentation | Preventive | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Establish/Maintain Documentation | Preventive | |
| Include risks to the achievement of goals and targets in the disclosure report. CC ID 16166 | Establish/Maintain Documentation | Preventive | |
| Include the timelines for achieving goals and targets in the disclosure report. CC ID 16164 | Establish/Maintain Documentation | Preventive | |
| Include the mechanisms for achieving goals and targets in the disclosure report. CC ID 16144 | Establish/Maintain Documentation | Preventive | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 | Establish/Maintain Documentation | Preventive | |
| Include a justification for disclosures that do not reconcile with data reported in other required disclosures in the disclosure report. CC ID 16053 | Establish/Maintain Documentation | Preventive | |
| Include historical information and future-oriented information in the disclosure report. CC ID 16336 | Establish/Maintain Documentation | Preventive | |
| Include preventive actions in the disclosure report. CC ID 15796 | Establish/Maintain Documentation | Preventive | |
| Include the methodology for reporting future-oriented information in the disclosure report. CC ID 16335 | Establish/Maintain Documentation | Preventive | |
| Include the reporting period in the disclosure report. CC ID 15661 | Establish/Maintain Documentation | Preventive | |
| Include restatements of information from previous reporting periods and an explanation for their use in the disclosure report. CC ID 15827 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the disclosure report. CC ID 15846 | Establish/Maintain Documentation | Preventive | |
| Include the organization's location in the disclosure report. CC ID 16311 | Establish/Maintain Documentation | Preventive | |
| Include how conflicts of interest in roles are handled in the disclosure report. CC ID 15848 | Establish/Maintain Documentation | Preventive | |
| Include the reporting structure in the disclosure report. CC ID 15845 | Establish/Maintain Documentation | Preventive | |
| Include a description of whistleblowing mechanisms in the disclosure report. CC ID 16027 | Establish/Maintain Documentation | Preventive | |
| Include the differences between the list of entities in financial reporting and in sustainability reporting in the disclosure report. CC ID 15874 | Establish/Maintain Documentation | Preventive | |
| Include the governance structure in the disclosure report. CC ID 15840 | Establish/Maintain Documentation | Preventive | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Establish/Maintain Documentation | Preventive | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Establish/Maintain Documentation | Preventive | |
| Include a description of significant fluctuations in the total number of contractors and outsource partners in the disclosure report. CC ID 15839 | Establish/Maintain Documentation | Preventive | |
| Include a description of contractual relationships in the disclosure report. CC ID 15838 | Establish/Maintain Documentation | Preventive | |
| Include a description of significant fluctuations in the total number of employees in the disclosure report. CC ID 15836 | Establish/Maintain Documentation | Preventive | |
| Include research findings based on previous and current research methodologies in the disclosure report. CC ID 15630 [The entity may disclose results of other survey findings, such as the percentage of employees who are: proud of their work/where they work, inspired by their work/co-workers, and aligned with corporate strategy and goals. Note to TC-IM-330a.2 4 When the survey methodology has changed compared to previous reporting years, the entity shall indicate results based on both the old and new methods for the year in which the change is made. Note to TC-IM-330a.2 2] | Establish/Maintain Documentation | Preventive | |
| Include the methodology used to report numbers in the disclosure report. CC ID 15841 | Establish/Maintain Documentation | Preventive | |
| Include definitions of terms in the disclosure report. CC ID 15832 | Establish/Maintain Documentation | Preventive | |
| Include a description of third party relationships in the disclosure report. CC ID 15830 | Establish/Maintain Documentation | Preventive | |
| Include the type of work performed by contractors and outsource partners in the disclosure report. CC ID 15842 | Establish/Maintain Documentation | Preventive | |
| Include any changes made to information in restatements in the disclosure report. CC ID 15829 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining when to use restatements in the disclosure report. CC ID 15828 | Establish/Maintain Documentation | Preventive | |
| Include points of contact in the disclosure report. CC ID 15826 | Establish/Maintain Documentation | Preventive | |
| Include the reason that reporting periods for different reports do not align in the disclosure report. CC ID 15825 | Establish/Maintain Documentation | Preventive | |
| Include a description of how information is consolidated in the disclosure report. CC ID 15824 | Establish/Maintain Documentation | Preventive | |
| Include the legal form of organization in the disclosure report. CC ID 15823 | Establish/Maintain Documentation | Preventive | |
| Include the ownership structure in the disclosure report. CC ID 15822 | Establish/Maintain Documentation | Preventive | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to collect and monitor in scope information in the disclosure report. CC ID 15779 | Establish/Maintain Documentation | Preventive | |
| Refrain from including out of scope information in the disclosure report. CC ID 15793 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to assess third party compliance in the disclosure report. CC ID 15773 | Establish/Maintain Documentation | Preventive | |
| Include the calculation methodology in the disclosure report. CC ID 15733 [{employee engagement}The entity shall briefly describe: The methodology used to calculate the mary-noun">percentage Note to TC-IM-330a.2 1.2] | Establish/Maintain Documentation | Preventive | |
| Include the rationale for choosing the calculation methodology in the disclosure report. CC ID 15734 | Establish/Maintain Documentation | Preventive | |
| Include the effects of changes to calculation methodologies in the disclosure report. CC ID 16344 | Establish/Maintain Documentation | Preventive | |
| Include the source of conversion factors in the disclosure report. CC ID 15747 | Establish/Maintain Documentation | Preventive | |
| Include known limitations in the disclosure report. CC ID 15669 | Establish/Maintain Documentation | Preventive | |
| Include the lessons learned in the disclosure report. CC ID 15689 | Establish/Maintain Documentation | Preventive | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 | Establish/Maintain Documentation | Preventive | |
| Include whether training requirements apply to third parties in the disclosure report. CC ID 15727 | Establish/Maintain Documentation | Preventive | |
| Include a link to the content index in the disclosure report. CC ID 15666 | Establish/Maintain Documentation | Preventive | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 | Establish/Maintain Documentation | Preventive | |
| Include supplemental disclosures in the disclosure report. CC ID 15629 [{gender representation}{racial group representation} The entity may provide> nd-color:#F0BBBC;" class="term_primary-noun">supplemental disclosures on gender and/or racial/ethnic group representation by country or region. TC-IM-330a.3. 7 {gender representation}{racial group representation} The entity may provide supplemental contextual disclosures on factors that significantly erm_secondary-verb">influence gender and/or racial/ethnic group representation, such as the country or region where employees are located. TC-IM-330a.3. 8] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 | Communicate | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Categorize the gender of all employees. CC ID 15609 [{not be available} The entity shall categorize the gender of its le="background-color:#F0BBBC;" class="term_primary-noun">employees as female, male, or ary-verb">not disclosed/available. TC-IM-330a.3. 5] | Human Resources Management | Preventive | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 [{racial group}{external requirement}{not be available} The entity shall categorize the racial/ethnic group of its U.S. employees in accordance with the EEO-1 Survey Instruction Booklet and use the following categories: Asian, Black or African American, Hispanic or Latino, White, Other (which includes Native American or Alaska Native, Native Hawaiian or Pacific Islander, and "Two or More Races" classifications), or not disclosed/available. TC-IM-330a.3. 6 {racial group}{external requirement}{not be available} The entity shall categorize the racial/ethnic group of its U.S. employees in accordance with the EEO-1 Survey Instruction Booklet and e="background-color:#B7D8ED;" class="term_primary-verb">use the following mary-noun">categories: Asian, Black or African American, Hispanic or Latino, White, Other (which includes Native American or Alaska Native, Native Hawaiian or Pacific Islander, and "Two or More Races" classifications), or not disclosed/available. TC-IM-330a.3. 6] | Human Resources Management | Preventive | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [{external requirement}{job description} For U.S. employees, the entity shall categorize the employeesan> in accordance with the Equal Employment Opportunity Commission's Employer Information EEO-1 report (EEO-1 Survey) Instruction Booklet, where each employee category for disclosure is class="term_secondary-verb">defined by corresponding job categories and descriptions in the Instruction Booklet: TC-IM-330a.3. 3 {external requirement} For non-U.S. employees, the entity shall categorize the employees in a manner generally consistent with the definitions provided above, though ="background-color:#CBD0E5;" class="term_secondary-verb">in accordance with, and further facilitated by, any applicable local regulations, guidance, or generally accepted definitions. TC-IM-330a.3. 4] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources Management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Establish/Maintain Documentation | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Communicate | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Establish/Maintain Documentation | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Establish/Maintain Documentation | Preventive | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources Management | Preventive | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources Management | Preventive | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Behavior | Preventive | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources Management | Preventive | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources Management | Preventive | |
| Establish, implement, and maintain job applications. CC ID 16180 | Establish/Maintain Documentation | Preventive | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources Management | Preventive | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources Management | Preventive | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources Management | Preventive | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources Management | Preventive | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources Management | Preventive | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources Management | Preventive | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources Management | Preventive | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources Management | Preventive | |
| Approve the wording of job applications. CC ID 16182 | Human Resources Management | Preventive | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources Management | Preventive | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources Management | Preventive | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources Management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Conduct personal data processing training. CC ID 13757 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Education: participation in educational efforts for consumers about behavioral online advertising TC-IM-220a.1. 6.1] | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{data breaches} All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity's ability to maintain data privacy and rb">term_primary-noun">security. Note to TC-IM-230a.1 2 All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity's ability to maintain data privacy and security. TC-IM-230a.2. 6] | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Establish/Maintain Documentation | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Actionable Reports or Measurements | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 [The entity shall briefly describe: The source of its survey (e.g., third-party survey or entity's own) Note to TC-IM-330a.2 1.1] | Process or Activity | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Business Processes | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Business Processes | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Communicate | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Communicate | Preventive | |
| Identify the material topics required to be reported on. CC ID 15654 | Business Processes | Preventive | |
| Check the list of material topics for completeness. CC ID 15692 | Investigate | Preventive | |
| Prioritize material topics used in reporting. CC ID 15678 | Communicate | Preventive | |
| Review and approve the material topics, as necessary. CC ID 15670 | Process or Activity | Preventive | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the external reporting program. CC ID 16566 | Communicate | Preventive | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Establish/Maintain Documentation | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Communicate | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Disclosure shall include, but is not limited to: Description of the extent of its use of cybersecurity risk management standard(s), such as by applicable operations, business unit, geography, product, or information system TC-IM-230a.2. 3.3.2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Disclosure shall include, but is not limited to: Identification of the specific cybersecurity risk management standard(s) that have been implemented or are otherwise in use TC-IM-230a.2. 3.3.1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 [The entity shall describe its use of third-party cybersecurity risk management standards. TC-IM-230a.2. 3] | Establish/Maintain Documentation | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Align the Authority Document list with external requirements. CC ID 06288 [Disclosure shall include, but is not limited to: Ongoing activities and initiatives related to increasing the use of class="term_primary-noun">cybersecurity risk management standards, even if such standards are not currently in use TC-IM-230a.2. 3.3.5] | Establish/Maintain Documentation | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk. TC-IM-230a.2. 1] | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Technical Security | Detective | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
| Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
| Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 [{external requirement} The entity shall discuss the degree to which its policies and practices address similar " class="term_primary-noun">issues as those style="background-color:#CBD0E5;" class="term_secondary-verb">outlined in the U.S. Office of Management and Budget's "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessments (PIAs). TC-IM-220a.1. 3] | Monitor and Evaluate Occurrences | Preventive | |
| Convert data into standard units before reporting metrics. CC ID 15507 [The entity shall apply conversion factors consistently for all data reported under this disclosure, such as the use of HHVs for fuel usage (including biofuels) and conversion of kilowatt hours (kWh) to GJ (for energy data including electricity from solar or wind energy). TC-IM-130a.1. 4 If employee engagement is measured as an index (e.g., strength of employee agreement with a survey statement), the entity shall convert the index into a percentage for this disclosure. TC-IM-330a.2. 1.2] | Process or Activity | Corrective | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 [The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy, with a specific focus on how it addresses the collection, usage, and retention of user information. TC-IM-220a.1. 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 [{appropriate authority} In calculating energy consumption from fuels and biofuels, the entity shall usean> tyle="background-color:#F0BBBC;" class="term_primary-noun">higher heating values (HHV), also known as gross calorific values (GCV), which are directly measured or taken from the Intergovernmental Panel on Climate Change (IPCC), the U.S. Department of Energy (DOE), or the U.S. Energy Information Administration (EIA). TC-IM-130a.1. 1.3 {external requirement} If disclosing PUE, the entity shall follow the guidance and kground-color:#F0BBBC;" class="term_primary-noun">calculation methodology described in PUE™: A Comprehensive Examination of the Metric (2014), published by ASHRAE and The Green Grid Association. TC-IM-130a.1. 5.2] | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 [{separate} User accounts that the entity cannot verify as belonging to the same individual shall be ackground-color:#_secondary-verb">B7D8ED;" class="term_primary-verb">disclosed separately. TC-IM-220a.2. 1.3 {separate} Accounts that the entity cannot verify as belonging to the same userspan> shall be und-color:#B7D8ED_secondary-verb">;" class="term_primary-verb">disclosed separately. TC-IM-230a.1. 3.1] | Business Processes | Preventive | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 [The entity shall calculate and disclose (1) the total number of data breaches identified during the reporting period. TC-IM-230a.1. 1] | Actionable Reports or Measurements | Detective | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 [The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal investigation or until the law enforcement agency determines that such notification does not compromise the investigation. TC-IM-230a.1. 4] | Communicate | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Create an incident response report following an incident response. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [The entity shall describe the corrective actions taken in response to specific incidents, such as changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-230a.1 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 [The entity should disclose its policy for disclosing data breaches to affected users in a timely manner. Note to TC-IM-230a.1 3] | Communicate | Preventive | |
| Conduct official proceedings, as necessary. CC ID 13836 | Human Resources Management | Preventive | |
| Conduct hearings, as necessary. CC ID 13016 | Process or Activity | Detective | |
| Communicate rulings to interested personnel and affected parties. CC ID 14860 [{disclose}{monetary loss}{result} The legal proceedings shall include any oun">adjudicative proceeding in which the entity was yle="background-color:#CBD0E5;" class="term_secondary-verb">involved, whether before a court, a regulator, an arbitrator, or otherwise. TC-IM-220a.3. 2 {disclose}{monetary loss}{result} The legal proceedings shall include any oun">adjudicative proceeding in which the entity was yle="background-color:#CBD0E5;" class="term_secondary-verb">involved, whether before a court, a regulator, an arbitrator, or otherwise. TC-IM-520a.1. 2] | Communicate | Corrective | |
| Establish, implement, and maintain an environmental management system. CC ID 14945 | Business Processes | Preventive | |
| Include risks and opportunities in the environmental management system. CC ID 15201 [{level}{be higher} The entity shall analyze all of its operations for water risks and identify activities that withdraw and consume water in locations with High (40–80 percent) or Extremely High (>80 percent) Baseline Water Stress as classified by the World Resources Institute's (WRI) Water Risk Atlas tool, Aqueduct. TC-IM-130a.2. 4 {level}{be higher} The entity shall analyze all of its operations for water risks and identify activities that withdraw and consume water in background-color:#F0BBBC;" class="term_primary-noun">locations with High (40–80 percent) or Extremely High (>80 percent) Baseline Water Stress as classified by the World Resources Institute's (WRI) Water Risk Atlas tool, Aqueduct. TC-IM-130a.2. 4] | Establish/Maintain Documentation | Preventive | |
| Analyze environmental aspects using established criteria. CC ID 15230 | Process or Activity | Detective | |
| Include the organization's significant environmental aspects in the environmental management system. CC ID 15176 [{integration}{environmental considerations} Discussion shall include, but is not limited to, how environmental factors impact the entity's decisions regarding the siting, design, construction, refurbishment, and operations of e="background-color:#F0BBBC;" class="term_primary-noun">data centers. TC-IM-130a.3. 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an environmental policy. CC ID 14947 | Establish/Maintain Documentation | Preventive | |
| Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974 [The entity shall describe its approach to the integration of environmental considerations, including energy and water use, into strategic planning for data centers. TC-IM-130a.3. 1] | Establish/Maintain Documentation | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{information lifecycle} The entity shall describe the information "lifecycle" (i.e., collection, usage, retention, processing, disclosure, and destruction of information) and how information-handling practices at each stage may affect individuals' privacy. TC-IM-220a.1. 2] | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Transparency: clearly disclosing ary-noun">information about data collection and color:#F0BBBC;" class="term_primary-noun">data use practices TC-IM-220a.1. 6.2] | Data and Information Management | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Establish/Maintain Documentation | Preventive | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Establish/Maintain Documentation | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Establish/Maintain Documentation | Preventive | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Establish/Maintain Documentation | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Establish/Maintain Documentation | Preventive | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Establish/Maintain Documentation | Preventive | |
| Specify the time frame that notice will be given. CC ID 00385 | Establish/Maintain Documentation | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Establish/Maintain Documentation | Preventive | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Establish/Maintain Documentation | Preventive | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Communicate | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Communicate | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Establish/Maintain Documentation | Preventive | |
| Update privacy notices, as necessary. CC ID 13474 | Communicate | Preventive | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Communicate | Preventive | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Communicate | Preventive | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Communicate | Preventive | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Establish/Maintain Documentation | Corrective | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Establish/Maintain Documentation | Preventive | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Establish/Maintain Documentation | Preventive | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Establish/Maintain Documentation | Preventive | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Establish/Maintain Documentation | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Establish/Maintain Documentation | Preventive | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Establish/Maintain Documentation | Preventive | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Establish/Maintain Documentation | Preventive | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Communicate | Preventive | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Communicate | Preventive | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Communicate | Preventive | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Communicate | Preventive | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Communicate | Preventive | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Data and Information Management | Preventive | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Communicate | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Communicate | Preventive | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Establish/Maintain Documentation | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 | Data and Information Management | Preventive | |
| Notify data subjects about their privacy rights. CC ID 12989 | Communicate | Preventive | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Communicate | Preventive | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Process or Activity | Detective | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Data and Information Management | Preventive | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Communicate | Preventive | |
| Publish a description of processing activities in an official register. CC ID 00379 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a records request manual. CC ID 00381 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Establish/Maintain Documentation | Preventive | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Behavior | Preventive | |
| Define what is included in registration notices. CC ID 00386 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Establish Roles | Preventive | |
| Include the verification method in the registration notice. CC ID 16798 | Establish/Maintain Documentation | Preventive | |
| Include the statutory authority in the registration notice. CC ID 16799 | Establish/Maintain Documentation | Preventive | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Establish/Maintain Documentation | Preventive | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Establish/Maintain Documentation | Preventive | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Establish/Maintain Documentation | Preventive | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Establish/Maintain Documentation | Preventive | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Establish/Maintain Documentation | Preventive | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Establish/Maintain Documentation | Preventive | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Data and Information Management | Preventive | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Process or Activity | Preventive | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Process or Activity | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 | Data and Information Management | Preventive | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Data and Information Management | Preventive | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Technical Security | Preventive | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Records Management | Preventive | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Records Management | Preventive | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Records Management | Corrective | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Records Management | Corrective | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Establish/Maintain Documentation | Preventive | |
| Disclose educational data, as necessary. CC ID 00223 | Data and Information Management | Preventive | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Records Management | Preventive | |
| Grant access to education records in support of external requirements. CC ID 13033 | Records Management | Preventive | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Communicate | Preventive | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Data and Information Management | Preventive | |
| Disclose education records when written consent is received. CC ID 00224 | Data and Information Management | Preventive | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Establish/Maintain Documentation | Preventive | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Establish/Maintain Documentation | Preventive | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Establish/Maintain Documentation | Preventive | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Establish/Maintain Documentation | Preventive | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Communicate | Preventive | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Communicate | Preventive | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Communicate | Preventive | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Data and Information Management | Preventive | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Communicate | Preventive | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Data and Information Management | Preventive | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Data and Information Management | Preventive | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Data and Information Management | Preventive | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Data and Information Management | Preventive | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Communicate | Preventive | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Communicate | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Communicate | Preventive | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Communicate | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Process or Activity | Preventive | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Process or Activity | Preventive | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Process or Activity | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Process or Activity | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Process or Activity | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Data and Information Management | Preventive | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Establish/Maintain Documentation | Preventive | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Establish/Maintain Documentation | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Establish/Maintain Documentation | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Establish/Maintain Documentation | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Establish/Maintain Documentation | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Establish/Maintain Documentation | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Establish/Maintain Documentation | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Establish/Maintain Documentation | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Establish/Maintain Documentation | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Establish/Maintain Documentation | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Communicate | Preventive | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Establish/Maintain Documentation | Preventive | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Process or Activity | Preventive | |
| Make telephone directory information available to the public. CC ID 08698 | Establish/Maintain Documentation | Preventive | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Technical Security | Preventive | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Process or Activity | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy, with a specific focus on how it addresses the collection, usage, and retention of user information. TC-IM-220a.1. 1] | Establish/Maintain Documentation | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Establish/Maintain Documentation | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Establish/Maintain Documentation | Detective | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Behavior | Preventive | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Establish/Maintain Documentation | Preventive | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Establish/Maintain Documentation | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 | Establish/Maintain Documentation | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Establish/Maintain Documentation | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Establish/Maintain Documentation | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Establish/Maintain Documentation | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Establish/Maintain Documentation | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Establish/Maintain Documentation | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Establish/Maintain Documentation | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Establish/Maintain Documentation | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Establish/Maintain Documentation | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Establish/Maintain Documentation | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 | Establish/Maintain Documentation | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Establish/Maintain Documentation | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Establish/Maintain Documentation | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Establish/Maintain Documentation | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Establish/Maintain Documentation | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Establish/Maintain Documentation | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Establish/Maintain Documentation | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Establish/Maintain Documentation | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Establish/Maintain Documentation | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Establish/Maintain Documentation | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Establish/Maintain Documentation | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Establish/Maintain Documentation | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Communicate | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Communicate | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Process or Activity | Preventive | |
| Approve the privacy plan. CC ID 14700 | Business Processes | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Establish/Maintain Documentation | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Establish/Maintain Documentation | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Communicate | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Communicate | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Business Processes | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Communicate | Corrective | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Consumer control: allowing users to choose whether data is collected or transferred to | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Human Resources Management | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Business Processes | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Establish/Maintain Documentation | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Establish/Maintain Documentation | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Establish/Maintain Documentation | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Establish/Maintain Documentation | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Establish/Maintain Documentation | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Establish/Maintain Documentation | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Establish/Maintain Documentation | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Establish/Maintain Documentation | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Business Processes | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Business Processes | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Data and Information Management | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Data and Information Management | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Business Processes | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Process or Activity | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Establish/Maintain Documentation | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Communicate | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Records Management | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Data and Information Management | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Data and Information Management | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Data and Information Management | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Accountability: le="background-color:#F0BBBC;" class="term_primary-noun">participation in self-regulatory organizations such as the Direct Marketing Association TC-IM-220a.1. 6.7] | Establish/Maintain Documentation | Preventive | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Human Resources Management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Human Resources Management | Preventive | |
| Notify the supervisory authority. CC ID 00472 | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Data and Information Management | Preventive | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Establish/Maintain Documentation | Preventive | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Human Resources Management | Preventive | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Establish/Maintain Documentation | Preventive | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Establish/Maintain Documentation | Preventive | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Establish/Maintain Documentation | Preventive | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Establish/Maintain Documentation | Preventive | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Establish/Maintain Documentation | Preventive | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Establish/Maintain Documentation | Preventive | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Establish/Maintain Documentation | Preventive | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Establish/Maintain Documentation | Preventive | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Establish/Maintain Documentation | Preventive | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Establish/Maintain Documentation | Preventive | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Establish/Maintain Documentation | Preventive | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Establish/Maintain Documentation | Preventive | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Establish/Maintain Documentation | Preventive | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Establish/Maintain Documentation | Preventive | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Establish/Maintain Documentation | Preventive | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Establish/Maintain Documentation | Preventive | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Establish/Maintain Documentation | Preventive | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Establish/Maintain Documentation | Preventive | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Establish/Maintain Documentation | Preventive | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Communicate | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Establish/Maintain Documentation | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Establish/Maintain Documentation | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Establish/Maintain Documentation | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Establish/Maintain Documentation | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Establish/Maintain Documentation | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Human Resources Management | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Data and Information Management | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Behavior | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Behavior | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Behavior | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Material changes: obtaining oun">consent before applying changes to rimary-noun">policies that are less restrictive than existing ones TC-IM-220a.1. 6.5] | Behavior | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Establish/Maintain Documentation | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Data and Information Management | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5 The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5] | Establish/Maintain Documentation | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 [The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5] | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [{disclosure}{user data} The entity may describe its policy for notifying users about such "term_primary-noun">requests>, including the timing of notification. TC-IM-220a.4. 6] | Behavior | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Data and Information Management | Preventive | |
| Disclose de-identified data, as necessary. CC ID 13034 | Communicate | Preventive | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Behavior | Preventive | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Records Management | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Process or Activity | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Process or Activity | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Business Processes | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Process or Activity | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Process or Activity | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Establish/Maintain Documentation | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Records Management | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Records Management | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Records Management | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Records Management | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Records Management | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Records Management | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Records Management | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Records Management | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Records Management | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Records Management | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Records Management | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Records Management | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Records Management | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Records Management | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Records Management | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Establish Roles | Preventive | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Data and Information Management | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Data and Information Management | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Data and Information Management | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Data and Information Management | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Data and Information Management | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Data and Information Management | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Business Processes | Preventive | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Communicate | Corrective | |
| Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Data and Information Management | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Data and Information Management | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Data and Information Management | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Data and Information Management | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Process or Activity | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Data and Information Management | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Data and Information Management | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Data and Information Management | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Data and Information Management | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Data and Information Management | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Data and Information Management | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Data and Information Management | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Data and Information Management | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Data and Information Management | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Data and Information Management | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Data and Information Management | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Data and Information Management | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Data and Information Management | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Data and Information Management | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Data and Information Management | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Data and Information Management | Preventive | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Behavior | Preventive | |
| Define security breach notification requirement exceptions. CC ID 04797 | Establish/Maintain Documentation | Preventive | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Communicate | Corrective | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Records Management | Preventive | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Communicate | Corrective | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Data and Information Management | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Establish/Maintain Documentation | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Data and Information Management | Detective | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Establish/Maintain Documentation | Preventive | |
| Define how a data subject may give consent. CC ID 00160 | Establish/Maintain Documentation | Preventive | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Communicate | Preventive | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Data and Information Management | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Data and Information Management | Preventive | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Data and Information Management | Preventive | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Data and Information Management | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Establish/Maintain Documentation | Detective | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Data and Information Management | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Communicate | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Establish/Maintain Documentation | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Communicate | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Records Management | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Business Processes | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Data and Information Management | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Data and Information Management | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Establish/Maintain Documentation | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Data and Information Management | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Data and Information Management | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Data and Information Management | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Data and Information Management | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Data and Information Management | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Include cookie management in the privacy framework. CC ID 13809 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Data and Information Management | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Data and Information Management | Preventive | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Business Processes | Detective | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 | Data and Information Management | Preventive | |
| Post the collection purpose. CC ID 00101 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Data and Information Management | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Data and Information Management | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Data and Information Management | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Data and Information Management | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Behavior | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Data and Information Management | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Data and Information Management | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 | Establish/Maintain Documentation | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Data and Information Management | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Data and Information Management | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Data and Information Management | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Data and Information Management | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Data and Information Management | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Establish/Maintain Documentation | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Establish/Maintain Documentation | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Data and Information Management | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Data and Information Management | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Data and Information Management | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Data and Information Management | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Data and Information Management | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Data and Information Management | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Data and Information Management | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Establish/Maintain Documentation | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Establish/Maintain Documentation | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Data and Information Management | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Establish/Maintain Documentation | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Data and Information Management | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Data and Information Management | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Establish/Maintain Documentation | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Data and Information Management | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Data and Information Management | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Data and Information Management | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Data and Information Management | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Establish/Maintain Documentation | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Data and Information Management | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Data and Information Management | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Data and Information Management | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Data and Information Management | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Data and Information Management | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Data and Information Management | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Data and Information Management | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Data and Information Management | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Data and Information Management | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Data and Information Management | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Data and Information Management | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Data and Information Management | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Data and Information Management | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Data and Information Management | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Data and Information Management | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Data and Information Management | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Data and Information Management | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Data and Information Management | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Data and Information Management | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Data and Information Management | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Data and Information Management | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Data and Information Management | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Data and Information Management | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Data and Information Management | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Data and Information Management | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Data and Information Management | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Data and Information Management | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Data and Information Management | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Data and Information Management | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Data and Information Management | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Data and Information Management | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Data and Information Management | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Establish/Maintain Documentation | Preventive | |
| Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Data and Information Management | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Data and Information Management | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Data and Information Management | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Data and Information Management | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Data and Information Management | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Data and Information Management | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Technical Security | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Data and Information Management | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Behavior | Preventive | |
| Manage health data collection. CC ID 00050 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Data and Information Management | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Data and Information Management | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 [{privacy regulation} The entity shall discuss how its policies and practices related to privacy of user information address E5;" class="term_secondary-verb">>children's privacy, which at a minimum includes the provisions of the U.S. Children's Online Privacy Protection Act (COPPA). TC-IM-220a.1. 4 With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: C;" class="term_primary-noun">Sensitive data: abiding by un">COPPA, and handling user data such as financial information, Social Security numbers, and medical information TC-IM-220a.1. 6.6] | Data and Information Management | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 | Data and Information Management | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Data and Information Management | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Data and Information Management | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Technical Security | Preventive | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Investigate | Detective | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Data and Information Management | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Data and Information Management | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Data and Information Management | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Data and Information Management | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Data and Information Management | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Data and Information Management | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Data and Information Management | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Data and Information Management | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Data and Information Management | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Data and Information Management | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Data and Information Management | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Data and Information Management | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Data and Information Management | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Data and Information Management | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Data and Information Management | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Data and Information Management | Preventive | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Investigate | Detective | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Communicate | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Data security: providing basic security provisions and having clear policies relating to retentolor:#CBD0E5;" class="term_secondary-verb">ion> of lor:#F0BBBC;" class="term_primary-noun">user information TC-IM-220a.1. 6.4] | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Data and Information Management | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Communicate | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [{information lifecycle} The entity shall describe the information "lifecycle" (i.e., collection, usage, retention, processing, disclosure, and destruction of information) and how information-handling practices at each stage may affect individuals' noun">privacy. TC-IM-220a.1. 2] | Establish/Maintain Documentation | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
| Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Establish/Maintain Documentation | Preventive | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Data and Information Management | Preventive | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Business Processes | Preventive | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Behavior | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Establish/Maintain Documentation | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Communicate | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Data and Information Management | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Data and Information Management | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Data and Information Management | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Data and Information Management | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Data and Information Management | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Establish/Maintain Documentation | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Data and Information Management | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Records Management | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 | Behavior | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Establish/Maintain Documentation | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Data and Information Management | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Data and Information Management | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Data and Information Management | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Data and Information Management | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Data and Information Management | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Data and Information Management | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Data and Information Management | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Data and Information Management | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Data and Information Management | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Data and Information Management | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Business Processes | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Data and Information Management | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Data and Information Management | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Data and Information Management | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Data and Information Management | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Data and Information Management | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Data and Information Management | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Communicate | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Behavior | Preventive | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Establish/Maintain Documentation | Preventive | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Data and Information Management | Preventive | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Data and Information Management | Preventive | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Process or Activity | Preventive | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Process or Activity | Preventive | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Process or Activity | Preventive | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [{external requirement} The entity shall discuss the degree to which its policies and practices address similar issues as those outlined in the U.S. Office of Management and Budget's "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessments (PIAs). TC-IM-220a.1. 3] | Establish/Maintain Documentation | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities ass="term_primary-noun">individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Establish/Maintain Documentation | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), y-verb">including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the class="term_primary-noun">information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide imary-noun">information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Establish/Maintain Documentation | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Establish/Maintain Documentation | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Establish/Maintain Documentation | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Establish/Maintain Documentation | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Business Processes | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Communicate | Preventive | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Human Resources Management | Detective | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Behavior | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Data and Information Management | Corrective | |
| File privacy rights violation complaints in writing. CC ID 00477 | Establish/Maintain Documentation | Corrective | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Establish/Maintain Documentation | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Establish/Maintain Documentation | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Behavior | Corrective | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Business Processes | Preventive | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Behavior | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Data and Information Management | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Establish/Maintain Documentation | Preventive | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Establish/Maintain Documentation | Preventive | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Establish/Maintain Documentation | Preventive | |
| Document unresolved challenges. CC ID 13568 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Establish/Maintain Documentation | Preventive | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Data and Information Management | Preventive | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Data and Information Management | Preventive | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Configuration | Preventive | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Human Resources Management | Preventive | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Data and Information Management | Preventive | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Data and Information Management | Preventive | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Behavior | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Behavior | Corrective | |
| Notify third parties of unresolved challenges. CC ID 13559 | Communicate | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Establish/Maintain Documentation | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Establish/Maintain Documentation | Preventive | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Data and Information Management | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Business Processes | Corrective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Behavior | Detective | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Establish/Maintain Documentation | Preventive | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Behavior | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Behavior | Detective | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Behavior | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Behavior | Preventive | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Behavior | Preventive | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Communicate | Corrective | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Establish/Maintain Documentation | Corrective | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Behavior | Corrective | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Establish/Maintain Documentation | Detective | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Behavior | Corrective | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Behavior | Corrective | |
| Award damages based on applicable law. CC ID 00501 | Behavior | Corrective | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Data and Information Management | Corrective | |
| Define the organization's liability based on the applicable law. CC ID 00504 | Establish/Maintain Documentation | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 | Establish/Maintain Documentation | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Communicate | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Communicate | Preventive | |
| Provide notice of proposed penalties. CC ID 06216 | Establish/Maintain Documentation | Preventive | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Behavior | Preventive | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Testing | Detective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: BBC;" class="term_primary-noun">Sensitive data: abiding by COPPA, and handling user data such as financial information, Social Security numbers, and medical information TC-IM-220a.1. 6.6] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a customer due diligence program. CC ID 13618 | Establish/Maintain Documentation | Preventive | |
| Include ongoing monitoring in the customer due diligence program. CC ID 16629 | Monitor and Evaluate Occurrences | Preventive | |
| Retain records of the measures taken during customer due diligence. CC ID 16605 | Data and Information Management | Preventive | |
| Determine if customer due diligence measures are needed for existing customers. CC ID 16604 | Process or Activity | Detective | |
| Analyze the appropriateness of the customer due diligence program, as necessary. CC ID 13621 | Investigate | Preventive | |
| Define and assign the data controller's data quality roles and responsibilities. CC ID 00085 | Establish Roles | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Establish/Maintain Documentation | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 | Data and Information Management | Preventive | |
| Record restricted data correctly. CC ID 00089 | Testing | Detective | |
| Check the data accuracy of new accounts. CC ID 04859 | Data and Information Management | Preventive | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Establish/Maintain Documentation | Preventive | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Testing | Detective | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Data and Information Management | Preventive | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Data and Information Management | Preventive | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Data and Information Management | Preventive | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Data and Information Management | Preventive | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Data and Information Management | Preventive | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Data and Information Management | Preventive | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Data and Information Management | Preventive | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Data and Information Management | Preventive | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Data and Information Management | Detective | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Behavior | Detective | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Data and Information Management | Detective | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Business Processes | Detective | |
| Check that restricted data is complete. CC ID 00090 | Data and Information Management | Preventive | |
| Keep restricted data up-to-date and valid. CC ID 00091 | Data and Information Management | Preventive | |
| Maintain restricted data in a form that does not permit the identification of data subjects for longer than the processing purpose. CC ID 00092 | Data and Information Management | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 [{appropriate authority} In calculating energy consumption from fuels and biofuels, the entity shall usean> tyle="background-color:#F0BBBC;" class="term_primary-noun">higher heating values (HHV), also known as gross calorific values (GCV), which are directly measured or taken from the Intergovernmental Panel on Climate Change (IPCC), the U.S. Department of Energy (DOE), or the U.S. Energy Information Administration (EIA). TC-IM-130a.1. 1.3 {external requirement} If disclosing PUE, the entity shall follow the guidance and kground-color:#F0BBBC;" class="term_primary-noun">calculation methodology described in PUE™: A Comprehensive Examination of the Metric (2014), published by ASHRAE and The Green Grid Association. TC-IM-130a.1. 5.2] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 [The entity shall calculate and disclose (1) the total number of data breaches identified during the reporting period. TC-IM-230a.1. 1] | Monitoring and measurement | Detective | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-220a.3 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-520a.1 2] | Audits and risk management | Corrective | |
| Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952 [{racial group representation} The entity shall disclose gender representation for all employees and racial/ethnic group representation for its U.S. employees by employee category. TC-IM-330a.3. 1 {gender representation}{racial group representation} The entity may disclose gender and/or racial/ethnic group representation by employee category in the following table formats: TC-IM-330a.3. 9] | Audits and risk management | Detective | |
| Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107 | Audits and risk management | Detective | |
| Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101 | Audits and risk management | Detective | |
| Include revenues in the disclosure report. CC ID 16099 | Audits and risk management | Detective | |
| Include the economic value distributed in the disclosure report. CC ID 16086 | Audits and risk management | Detective | |
| Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092 | Audits and risk management | Detective | |
| Include total monetary value of payments to governments in the disclosure report. CC ID 16091 | Audits and risk management | Detective | |
| Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090 | Audits and risk management | Detective | |
| Include total monetary value of community investments in the disclosure report. CC ID 16089 | Audits and risk management | Detective | |
| Include operating costs in the disclosure report. CC ID 16088 | Audits and risk management | Detective | |
| Include economic value retained in the disclosure report. CC ID 16094 | Audits and risk management | Detective | |
| Include the direct economic value generated and distributed in the disclosure report. CC ID 16085 | Audits and risk management | Detective | |
| Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087 | Audits and risk management | Detective | |
| Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106 | Audits and risk management | Detective | |
| Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105 | Audits and risk management | Detective | |
| Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102 | Audits and risk management | Detective | |
| Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100 | Audits and risk management | Detective | |
| Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097 | Audits and risk management | Detective | |
| Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095 | Audits and risk management | Detective | |
| Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050 | Audits and risk management | Detective | |
| Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048 | Audits and risk management | Detective | |
| Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046 | Audits and risk management | Detective | |
| Include revenues from third party sales in the disclosure report. CC ID 16045 | Audits and risk management | Detective | |
| Include the profit and loss before tax in the disclosure report. CC ID 16044 | Audits and risk management | Detective | |
| Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073 | Audits and risk management | Detective | |
| Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072 | Audits and risk management | Detective | |
| Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071 | Audits and risk management | Detective | |
| Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070 | Audits and risk management | Detective | |
| Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069 | Audits and risk management | Detective | |
| Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068 | Audits and risk management | Detective | |
| Include the total number of incidents of corruption in the disclosure report. CC ID 16066 | Audits and risk management | Detective | |
| Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063 | Audits and risk management | Detective | |
| Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062 | Audits and risk management | Detective | |
| Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038 | Audits and risk management | Detective | |
| Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032 | Audits and risk management | Detective | |
| Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023 | Audits and risk management | Detective | |
| Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022 | Audits and risk management | Detective | |
| Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340 | Audits and risk management | Detective | |
| Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083 | Audits and risk management | Detective | |
| Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081 | Audits and risk management | Detective | |
| Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079 | Audits and risk management | Detective | |
| Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013 | Audits and risk management | Detective | |
| Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009 | Audits and risk management | Detective | |
| Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146 | Audits and risk management | Detective | |
| Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008 | Audits and risk management | Detective | |
| Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007 | Audits and risk management | Detective | |
| Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006 | Audits and risk management | Detective | |
| Include the total amount of significant air emissions in the disclosure report. CC ID 16005 | Audits and risk management | Detective | |
| Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084 | Audits and risk management | Detective | |
| Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082 | Audits and risk management | Detective | |
| Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080 | Audits and risk management | Detective | |
| Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078 | Audits and risk management | Detective | |
| Include the total emissions of particulate matter in the disclosure report. CC ID 16077 | Audits and risk management | Detective | |
| Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076 | Audits and risk management | Detective | |
| Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004 | Audits and risk management | Detective | |
| Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999 | Audits and risk management | Detective | |
| Include the total number of legal actions against the organization in the disclosure report. CC ID 16003 | Audits and risk management | Detective | |
| Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950 | Audits and risk management | Detective | |
| Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163 | Audits and risk management | Detective | |
| Include the total volume of significant spills in the disclosure report. CC ID 16010 | Audits and risk management | Detective | |
| Include the total number of significant spills in the disclosure report. CC ID 15965 | Audits and risk management | Detective | |
| Include the performance qualification score of laptops in the disclosure report. CC ID 16176 | Audits and risk management | Detective | |
| Include the battery life score of laptops in the disclosure report. CC ID 16175 | Audits and risk management | Detective | |
| Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174 | Audits and risk management | Detective | |
| Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172 | Audits and risk management | Detective | |
| Include the energy efficiency of server processors in the disclosure report. CC ID 16170 | Audits and risk management | Detective | |
| Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162 | Audits and risk management | Detective | |
| Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159 | Audits and risk management | Detective | |
| Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160 | Audits and risk management | Detective | |
| Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157 | Audits and risk management | Detective | |
| Include the average actual sustained download speed in the disclosure report. CC ID 15568 | Audits and risk management | Detective | |
| Include the average advertised download speed in the disclosure report. CC ID 15567 | Audits and risk management | Detective | |
| Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949 [{level}{be higher} The entity shall disclose its water withdrawn in locations with High or Extremely High d-color:#F0BBBC;" class="term_primary-noun">Baseline Water Stress as a percentage of the total water withdrawn. TC-IM-130a.2. 5] | Audits and risk management | Detective | |
| Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948 [{level}{be higher} The entity shall disclose its water consumed in locations with High or Extremely High -color:#F0BBBC;" class="term_primary-noun">Baseline Water Stress as a percentage of the total water consumed. TC-IM-130a.2. 6] | Audits and risk management | Detective | |
| Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228 | Audits and risk management | Detective | |
| Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217 | Audits and risk management | Detective | |
| Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108 | Audits and risk management | Detective | |
| Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103 | Audits and risk management | Detective | |
| Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002 | Audits and risk management | Detective | |
| Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001 | Audits and risk management | Detective | |
| Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622 [The entity shall disclose the percentage of employees that are foreign nationals. TC-IM-330a.1. 1] | Audits and risk management | Preventive | |
| Include the percentage of offshore employees in the disclosure report. CC ID 15623 | Audits and risk management | Preventive | |
| Include the percentage of employee engagement in the disclosure report. CC ID 15634 [The entity shall disclose employee engagement as a percentage. TC-IM-330a.2. 1] | Audits and risk management | Preventive | |
| Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931 | Audits and risk management | Detective | |
| Include the rate of new employee hires in the disclosure report. CC ID 15928 | Audits and risk management | Detective | |
| Include the total number of employees who left the organization in the disclosure report. CC ID 16127 | Audits and risk management | Detective | |
| Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214 | Audits and risk management | Detective | |
| Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960 | Audits and risk management | Detective | |
| Include the total number of employees that took parental leave in the disclosure report. CC ID 15955 | Audits and risk management | Detective | |
| Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946 | Audits and risk management | Detective | |
| Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958 | Audits and risk management | Detective | |
| Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962 | Audits and risk management | Detective | |
| Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726 | Audits and risk management | Preventive | |
| Include the user average interruption duration in the disclosure report. CC ID 15558 | Audits and risk management | Detective | |
| Include the system average interruption frequency in the disclosure report. CC ID 15565 | Audits and risk management | Detective | |
| Include the total user downtime in the disclosure report. CC ID 15635 | Audits and risk management | Preventive | |
| Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649 [{content removal request} The entity shall disclose the percentage of the requests from government or law enforcement agencies to remove content where the entity complied with the issuing agencies to remove content. TC-IM-220a.6. 2] | Audits and risk management | Preventive | |
| Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500 | Audits and risk management | Detective | |
| Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792 | Audits and risk management | Preventive | |
| Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560 [{government request} The entity shall disclose (3) the percentage of government and law enforcement requests that resulted in disclosure to the ss="term_primary-noun">requesting party. TC-IM-220a.4. 3] | Audits and risk management | Detective | |
| Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951 [The entity shall disclose (3) the total number of unique users who were affected by data breaches, which includes all those whose personal data was compromised in a data breach. TC-IM-230a.1. 3] | Audits and risk management | Detective | |
| Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216 | Audits and risk management | Detective | |
| Include the power usage effectiveness in the disclosure report. CC ID 15552 [The entity may disclose the trailing twelve-month (TTM) weighted average power usage effectiveness (PUE) for its data centers. TC-IM-130a.1. 5] | Audits and risk management | Detective | |
| Include the energy intensity ratio in the disclosure report. CC ID 15735 | Audits and risk management | Preventive | |
| Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549 [The entity shall disclose (3) the percentage of energy it consumed that is renewable energy. TC-IM-130a.1. 3] | Audits and risk management | Detective | |
| Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541 [The entity shall disclose (2) the percentage of energy it consumed that was supplied from grid electricity. TC-IM-130a.1. 2] | Audits and risk management | Detective | |
| Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563 | Audits and risk management | Detective | |
| Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574 | Audits and risk management | Detective | |
| Include the weight of recovered materials in the disclosure report. CC ID 16203 | Audits and risk management | Detective | |
| Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578 | Audits and risk management | Detective | |
| Include the rate of work-related injuries in the disclosure report. CC ID 15944 | Audits and risk management | Detective | |
| Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943 | Audits and risk management | Detective | |
| Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207 | Audits and risk management | Detective | |
| Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954 | Audits and risk management | Detective | |
| Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942 | Audits and risk management | Detective | |
| Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953 | Audits and risk management | Detective | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Preventive | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Human Resources management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Material changes: obtaining oun">consent before applying changes to rimary-noun">policies that are less restrictive than existing ones TC-IM-220a.1. 6.5] | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [{disclosure}{user data} The entity may describe its policy for notifying users about such "term_primary-noun">requests>, including the timing of notification. TC-IM-220a.4. 6] | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Privacy protection for information and data | Preventive | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Privacy protection for information and data | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Privacy protection for information and data | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Preventive | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Privacy protection for information and data | Corrective | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Privacy protection for information and data | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Detective | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Detective | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Privacy protection for information and data | Preventive | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Preventive | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Corrective | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Corrective | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Corrective | |
| Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Corrective | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Preventive | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{data breaches} All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity's ability to maintain data privacy and rb">term_primary-noun">security. Note to TC-IM-230a.1 2 All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity's ability to maintain data privacy and security. TC-IM-230a.2. 6] | Leadership and high level objectives | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Leadership and high level objectives | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Preventive | |
| Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Preventive | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 [{separate} User accounts that the entity cannot verify as belonging to the same individual shall be ackground-color:#_secondary-verb">B7D8ED;" class="term_primary-verb">disclosed separately. TC-IM-220a.2. 1.3 {separate} Accounts that the entity cannot verify as belonging to the same userspan> shall be und-color:#B7D8ED_secondary-verb">;" class="term_primary-verb">disclosed separately. TC-IM-230a.1. 3.1] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Preventive | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an environmental management system. CC ID 14945 | Operational management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Preventive | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Preventive | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Preventive | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Corrective | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Detective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Preventive | |
| Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Preventive | |
| Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 [The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal investigation or until the law enforcement agency determines that such notification does not compromise the investigation. TC-IM-230a.1. 4] | Monitoring and measurement | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 | Audits and risk management | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 [The entity should disclose its policy for disclosing data breaches to affected users in a timely manner. Note to TC-IM-230a.1 3] | Operational management | Preventive | |
| Communicate rulings to interested personnel and affected parties. CC ID 14860 [{disclose}{monetary loss}{result} The legal proceedings shall include any oun">adjudicative proceeding in which the entity was yle="background-color:#CBD0E5;" class="term_secondary-verb">involved, whether before a court, a regulator, an arbitrator, or otherwise. TC-IM-220a.3. 2 {disclose}{monetary loss}{result} The legal proceedings shall include any oun">adjudicative proceeding in which the entity was yle="background-color:#CBD0E5;" class="term_secondary-verb">involved, whether before a court, a regulator, an arbitrator, or otherwise. TC-IM-520a.1. 2] | Operational management | Corrective | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Privacy protection for information and data | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Privacy protection for information and data | Preventive | |
| Update privacy notices, as necessary. CC ID 13474 | Privacy protection for information and data | Preventive | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Privacy protection for information and data | Preventive | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Preventive | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Privacy protection for information and data | Preventive | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Preventive | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Preventive | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Privacy protection for information and data | Preventive | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Privacy protection for information and data | Preventive | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Privacy protection for information and data | Preventive | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Privacy protection for information and data | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Preventive | |
| Notify data subjects about their privacy rights. CC ID 12989 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Privacy protection for information and data | Preventive | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Preventive | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Corrective | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
| Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Corrective | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Corrective | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Corrective | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Preventive | |
| Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Preventive | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Corrective | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Transparency: clearly disclosing ary-noun">information about data collection and color:#F0BBBC;" class="term_primary-noun">data use practices TC-IM-220a.1. 6.2] | Privacy protection for information and data | Preventive | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Preventive | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Preventive | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Preventive | |
| Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Preventive | |
| Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Privacy protection for information and data | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Privacy protection for information and data | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Privacy protection for information and data | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Privacy protection for information and data | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Privacy protection for information and data | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Privacy protection for information and data | Preventive | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Privacy protection for information and data | Detective | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Preventive | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Preventive | |
| Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Preventive | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Preventive | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 [{privacy regulation} The entity shall discuss how its policies and practices related to privacy of user information address E5;" class="term_secondary-verb">>children's privacy, which at a minimum includes the provisions of the U.S. Children's Online Privacy Protection Act (COPPA). TC-IM-220a.1. 4 With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: C;" class="term_primary-noun">Sensitive data: abiding by un">COPPA, and handling user data such as financial information, Social Security numbers, and medical information TC-IM-220a.1. 6.6] | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Privacy protection for information and data | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Privacy protection for information and data | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Privacy protection for information and data | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Privacy protection for information and data | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Preventive | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Preventive | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Preventive | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Corrective | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Corrective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: BBC;" class="term_primary-noun">Sensitive data: abiding by COPPA, and handling user data such as financial information, Social Security numbers, and medical information TC-IM-220a.1. 6.6] | Privacy protection for information and data | Preventive | |
| Retain records of the measures taken during customer due diligence. CC ID 16605 | Privacy protection for information and data | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Preventive | |
| Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Preventive | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Preventive | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Preventive | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Preventive | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Preventive | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Preventive | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Preventive | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Preventive | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Preventive | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Detective | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Detective | |
| Check that restricted data is complete. CC ID 00090 | Privacy protection for information and data | Preventive | |
| Keep restricted data up-to-date and valid. CC ID 00091 | Privacy protection for information and data | Preventive | |
| Maintain restricted data in a form that does not permit the identification of data subjects for longer than the processing purpose. CC ID 00092 | Privacy protection for information and data | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Preventive | |
| Define and assign the data controller's data quality roles and responsibilities. CC ID 00085 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Preventive | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Disclosure shall include, but is not limited to: Description of the extent of its use of cybersecurity risk management standard(s), such as by applicable operations, business unit, geography, product, or information system TC-IM-230a.2. 3.3.2] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Disclosure shall include, but is not limited to: Identification of the specific cybersecurity risk management standard(s) that have been implemented or are otherwise in use TC-IM-230a.2. 3.3.1] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 [The entity shall describe its use of third-party cybersecurity risk management standards. TC-IM-230a.2. 3] | Leadership and high level objectives | Preventive | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Align the Authority Document list with external requirements. CC ID 06288 [Disclosure shall include, but is not limited to: Ongoing activities and initiatives related to increasing the use of class="term_primary-noun">cybersecurity risk management standards, even if such standards are not currently in use TC-IM-230a.2. 3.3.5] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk. TC-IM-230a.2. 1] | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 [The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy, with a specific focus on how it addresses the collection, usage, and retention of user information. TC-IM-220a.1. 1] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Corrective | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology. TC-IM-230a.2. 2 The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology. TC-IM-230a.2. 2 The entity shall describe management's approach to addressing the risks it has identified related to recruiting foreign nationals, which may include developing local talent pools, political lobbying for immigration reform, outsourcing of operations, or joining or forming industry partnerships. Note to TC-IM-330a.1 2] | Audits and risk management | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [Disclosure shall include, but is not limited to: The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and | Audits and risk management | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The entity may provide disclosures by region or country. TC-IM-220a.6. 5] | Audits and risk management | Preventive | |
| Include a summary of the questions and statements from surveys or studies in the disclosure report. CC ID 15631 [The entity shall briefly describe: A summary of questions or statements included in the survey or term_primary-noun">study (e.g., those related to goal setting, support to achieve goals, training and development, work processes, and commitment to the organization) Note to TC-IM-330a.2 1.3] | Audits and risk management | Preventive | |
| Include a statement that confidential information has been omitted in the disclosure report. CC ID 16598 | Audits and risk management | Preventive | |
| Include legal proceedings in the disclosure report. CC ID 15564 [{monetary loss} The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant :#F0BBBC;" class="term_primary-noun">industry regulations, such as: TC-IM-220a.3. 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: TC-IM-220a.3. 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: TC-IM-520a.1. 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant regulations, such as: TC-IM-520a.1. 5] | Audits and risk management | Preventive | |
| Include the context of monetary losses from legal proceedings in the disclosure report. CC ID 15533 [The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., unauthorized monitoring, sharing of data, children's privacy) of all monetary losses as a result of legal proceedings. Note to TC-IM-220a.3 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., price fixing, patent misuse, anti-trust) of all monetary losses as a result of legal proceedings. Note to TC-IM-520a.1 1] | Audits and risk management | Preventive | |
| Include the nature of monetary losses from legal proceedings in the disclosure report. CC ID 15532 [The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., unauthorized monitoring, sharing of data, children's privacy) of all monetary losses as a result of legal proceedings. Note to TC-IM-220a.3 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with incidents relating to user privacy. TC-IM-220a.3. 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., price fixing, patent misuse, anti-trust) of all monetary losses as a result of legal proceedings. Note to TC-IM-520a.1 1] | Audits and risk management | Preventive | |
| Include goals and targets in the disclosure report. CC ID 16339 | Audits and risk management | Preventive | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Audits and risk management | Preventive | |
| Include the relationship between organizational requirements and external requirements in the disclosure report. CC ID 16154 | Audits and risk management | Preventive | |
| Include external requirements in the disclosure report. CC ID 16150 | Audits and risk management | Preventive | |
| Include the classification of risks and opportunities posed by climate change in the disclosure report. CC ID 16096 | Audits and risk management | Preventive | |
| Include board oversight of risks and opportunities in the disclosure report. CC ID 16337 | Audits and risk management | Preventive | |
| Include risk management procedures in the disclosure report. CC ID 16058 | Audits and risk management | Preventive | |
| Include the risk management strategy in the disclosure report. CC ID 16348 | Audits and risk management | Preventive | |
| Include risk assessment procedures in the disclosure report. CC ID 16343 | Audits and risk management | Preventive | |
| Include the organization's primary activities in the disclosure report. CC ID 16043 | Audits and risk management | Preventive | |
| Include business operations owned by the organization in the disclosure report. CC ID 15614 | Audits and risk management | Preventive | |
| Include critical business operations that support cloud services in the disclosure report. CC ID 15612 | Audits and risk management | Preventive | |
| Include the relationship between the tax strategy and the organizational strategy in the disclosure report. CC ID 16035 | Audits and risk management | Preventive | |
| Include reference to assurance statements in the disclosure report. CC ID 16033 | Audits and risk management | Preventive | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 | Audits and risk management | Preventive | |
| Include metrics in the disclosure report. CC ID 15916 | Audits and risk management | Preventive | |
| Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934 | Audits and risk management | Preventive | |
| Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632 [{racial group representation} The entity shall disclose gender representation for all employees and racial/ethnic group representation for its U.S. employees by employee category. TC-IM-330a.3. 1 {gender representation}{racial group representation} The entity may disclose gender and/or racial/ethnic group representation by employee category in the following table formats: TC-IM-330a.3. 9] | Audits and risk management | Preventive | |
| Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871 | Audits and risk management | Preventive | |
| Include the number of individuals in each region in the disclosure report. CC ID 15835 | Audits and risk management | Preventive | |
| Include the number of individuals in each gender category in the disclosure report. CC ID 15633 | Audits and risk management | Preventive | |
| Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869 | Audits and risk management | Preventive | |
| Include the total number of incidents of discrimination in the disclosure report. CC ID 15788 | Audits and risk management | Preventive | |
| Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870 | Audits and risk management | Preventive | |
| Include metrics criteria in the disclosure report. CC ID 16143 | Audits and risk management | Preventive | |
| Include risk management metrics in the disclosure report. CC ID 16345 | Audits and risk management | Preventive | |
| Include financial management metrics in the disclosure report. CC ID 16042 | Audits and risk management | Preventive | |
| Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104 | Audits and risk management | Preventive | |
| Include metrics on anti-corruption in the disclosure report. CC ID 16052 | Audits and risk management | Preventive | |
| Include environmental management metrics in the disclosure report. CC ID 16012 | Audits and risk management | Preventive | |
| Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041 | Audits and risk management | Preventive | |
| Include metrics on procurement practices in the disclosure report. CC ID 16011 | Audits and risk management | Preventive | |
| Include emissions management metrics in the disclosure report. CC ID 15987 | Audits and risk management | Preventive | |
| Include compliance metrics in the disclosure report. CC ID 15932 | Audits and risk management | Preventive | |
| Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548 [The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with anti-competitive behavior such as those related to enforcement of laws and regulations on price fixing, anti-trust behavior (e.g., exclusivity contracts), patent misuse, or network effects and bundling of services and products to limit competition. TC-IM-520a.1. 1] | Audits and risk management | Preventive | |
| Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813 | Audits and risk management | Preventive | |
| Include metrics on labor-management relations in the disclosure report. CC ID 15935 | Audits and risk management | Preventive | |
| Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895 | Audits and risk management | Preventive | |
| Include waste management metrics in the disclosure report. CC ID 15925 | Audits and risk management | Preventive | |
| Include the total weight of waste generated in the disclosure report. CC ID 15778 | Audits and risk management | Preventive | |
| Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774 | Audits and risk management | Preventive | |
| Include a breakdown of waste generated in the disclosure report. CC ID 15775 | Audits and risk management | Preventive | |
| Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781 | Audits and risk management | Preventive | |
| Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772 | Audits and risk management | Preventive | |
| Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780 | Audits and risk management | Preventive | |
| Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770 | Audits and risk management | Preventive | |
| Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771 | Audits and risk management | Preventive | |
| Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766 | Audits and risk management | Preventive | |
| Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767 | Audits and risk management | Preventive | |
| Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768 | Audits and risk management | Preventive | |
| Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769 | Audits and risk management | Preventive | |
| Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777 | Audits and risk management | Preventive | |
| Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776 | Audits and risk management | Preventive | |
| Include product and service management metrics in the disclosure report. CC ID 15917 | Audits and risk management | Preventive | |
| Include the number of products and services provided by the organization in the disclosure report. CC ID 15833 | Audits and risk management | Preventive | |
| Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811 | Audits and risk management | Preventive | |
| Include water management metrics in the disclosure report. CC ID 15924 | Audits and risk management | Preventive | |
| Include the total water withdrawal in the disclosure report. CC ID 15593 [The entity shall disclose the amount of water, in thousands of cubic meters, that was withdrawn from all sources. TC-IM-130a.2. 1] | Audits and risk management | Preventive | |
| Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596 | Audits and risk management | Preventive | |
| Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794 | Audits and risk management | Preventive | |
| Include a breakdown of water withdrawal in the disclosure report. CC ID 15795 | Audits and risk management | Preventive | |
| Include the total water discharge in the disclosure report. CC ID 15758 | Audits and risk management | Preventive | |
| Include a breakdown of water discharge in the disclosure report. CC ID 15759 | Audits and risk management | Preventive | |
| Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760 | Audits and risk management | Preventive | |
| Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797 | Audits and risk management | Preventive | |
| Include the total water consumption in the disclosure report. CC ID 15642 [{saltwater} The entity may disclose portions of its supply by "background-color:#F0BBBC;" class="term_primary-noun">source if, for example, significant portions of withdrawals are from non-freshwater sources. TC-IM-130a.2. 2 The entity shall disclose the amount of water, in thousands of cubic meters, that was consumed in its operations. TC-IM-130a.2. 3] | Audits and risk management | Preventive | |
| Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598 | Audits and risk management | Preventive | |
| Include the total number of complaints received in the disclosure report. CC ID 15728 | Audits and risk management | Preventive | |
| Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643 [If results are limited to a subset of employees, the entity shall include the percentage of employees included in the study or survey and the representativeness of the sample. Note to TC-IM-330a.2 3 If results are limited to a subset of employees, the entity shall include the percentage of employees included in the study or survey and the representativeness of the sample. Note to TC-IM-330a.2 3] | Audits and risk management | Preventive | |
| Include employment practices metrics in the disclosure report. CC ID 15921 | Audits and risk management | Preventive | |
| Include the rate of employee turnover in the disclosure report. CC ID 15898 | Audits and risk management | Preventive | |
| Include the total number of new employee hires in the disclosure report. CC ID 15896 | Audits and risk management | Preventive | |
| Include the total number of employees in the disclosure report. CC ID 15834 | Audits and risk management | Preventive | |
| Include metrics on parental leave in the disclosure report. CC ID 15936 | Audits and risk management | Preventive | |
| Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906 | Audits and risk management | Preventive | |
| Include the number of hours worked in the disclosure report. CC ID 15910 | Audits and risk management | Preventive | |
| Include metrics on public policy advocacy in the disclosure report. CC ID 15947 | Audits and risk management | Preventive | |
| Include the total monetary value of political contributions in the disclosure report. CC ID 15803 | Audits and risk management | Preventive | |
| Include metrics on training and education in the disclosure report. CC ID 15940 | Audits and risk management | Preventive | |
| Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877 | Audits and risk management | Preventive | |
| Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881 | Audits and risk management | Preventive | |
| Include operational metrics in the disclosure report. CC ID 15939 | Audits and risk management | Preventive | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Audits and risk management | Preventive | |
| Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618 | Audits and risk management | Preventive | |
| Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606 | Audits and risk management | Preventive | |
| Include the total number of operations performed by the organization in the disclosure report. CC ID 15831 | Audits and risk management | Preventive | |
| Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933 | Audits and risk management | Preventive | |
| Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557 [The entity shall disclose the number of unique users whose information is used for secondary purposes. TC-IM-220a.2. 1 The scope of disclosure shall include the users whose information is used by the entity itself for secondary purposes as well as the users whose information is provided to affiliates or non-affiliates to use for secondary purposes. TC-IM-220a.2. 2] | Audits and risk management | Preventive | |
| Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729 | Audits and risk management | Preventive | |
| Include the number of content removal requests in the disclosure report. CC ID 15647 [The entity shall disclose the number of requests to remove content it received from government or law enforcement agencies. TC-IM-220a.6. 1] | Audits and risk management | Preventive | |
| Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Audits and risk management | Preventive | |
| Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542 [The entity shall disclose (1) the total number of unique requests for user information, including user content and non-content data, from government or law enforcement agencies. TC-IM-220a.4. 1 The entity shall disclose (2) the total number of unique users whose information was requested by government or law enforcement agencies. TC-IM-220a.4. 2] | Audits and risk management | Preventive | |
| Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543 [The entity shall disclose (2) the percentage of data breaches in which personally identifiable information (PII) was subject to the data breach. TC-IM-230a.1. 2] | Audits and risk management | Preventive | |
| Include third party management metrics in the disclosure report. CC ID 15923 | Audits and risk management | Preventive | |
| Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837 | Audits and risk management | Preventive | |
| Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937 | Audits and risk management | Preventive | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884 | Audits and risk management | Preventive | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883 | Audits and risk management | Preventive | |
| Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886 | Audits and risk management | Preventive | |
| Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885 | Audits and risk management | Preventive | |
| Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887 | Audits and risk management | Preventive | |
| Include metrics on supplier social assessments in the disclosure report. CC ID 15938 | Audits and risk management | Preventive | |
| Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808 | Audits and risk management | Preventive | |
| Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807 | Audits and risk management | Preventive | |
| Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806 | Audits and risk management | Preventive | |
| Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805 | Audits and risk management | Preventive | |
| Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810 | Audits and risk management | Preventive | |
| Include customer health and safety management metrics in the disclosure report. CC ID 15922 | Audits and risk management | Preventive | |
| Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814 | Audits and risk management | Preventive | |
| Include energy management metrics in the disclosure report. CC ID 15920 | Audits and risk management | Preventive | |
| Include the total energy reduction in the disclosure report. CC ID 15749 | Audits and risk management | Preventive | |
| Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751 | Audits and risk management | Preventive | |
| Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750 | Audits and risk management | Preventive | |
| Include the total heating sold in the disclosure report. CC ID 15739 | Audits and risk management | Preventive | |
| Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746 | Audits and risk management | Preventive | |
| Include the total electricity sold in the disclosure report. CC ID 15740 | Audits and risk management | Preventive | |
| Include the total energy consumption in the disclosure report. CC ID 15506 [The entity shall disclose (1) the total amount of energy it consumed as an aggregate figure, in gigajoules (GJ). TC-IM-130a.1. 1] | Audits and risk management | Preventive | |
| Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744 | Audits and risk management | Preventive | |
| Include the total heating consumption in the disclosure report. CC ID 15743 | Audits and risk management | Preventive | |
| Include the total cooling sold in the disclosure report. CC ID 15738 | Audits and risk management | Preventive | |
| Include the total cooling consumption in the disclosure report. CC ID 15742 | Audits and risk management | Preventive | |
| Include the total steam sold in the disclosure report. CC ID 15737 | Audits and risk management | Preventive | |
| Include the total steam consumption in the disclosure report. CC ID 15741 | Audits and risk management | Preventive | |
| Include the fuel types used in the disclosure report. CC ID 15745 | Audits and risk management | Preventive | |
| Include materials management metrics in the disclosure report. CC ID 15919 | Audits and risk management | Preventive | |
| Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791 | Audits and risk management | Preventive | |
| Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562 | Audits and risk management | Preventive | |
| Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792 | Audits and risk management | Preventive | |
| Include occupational health and safety management metrics in the disclosure report. CC ID 15918 | Audits and risk management | Preventive | |
| Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891 | Audits and risk management | Preventive | |
| Include the total number of work-related injuries in the disclosure report. CC ID 15899 | Audits and risk management | Preventive | |
| Include the number of cases of work-related ill health in the disclosure report. CC ID 15914 | Audits and risk management | Preventive | |
| Include outsourcing arrangements in the disclosure report. CC ID 15621 [{environmental considerations} The scope of disclosure includes considerations for existing owned data centers, development of new data centers, and outsourcing of y-noun">data center services, where relevant. TC-IM-130a.3. 3] | Audits and risk management | Preventive | |
| Include business operations outsourced to third parties in the disclosure report. CC ID 15616 | Audits and risk management | Preventive | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Audits and risk management | Preventive | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Audits and risk management | Preventive | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Audits and risk management | Preventive | |
| Include the content removal policy in the disclosure report. CC ID 15650 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3 The entity may break out categories of request type (e.g., copyright takedown notices, illegal hate speech). TC-IM-220a.6. 4] | Audits and risk management | Preventive | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Audits and risk management | Preventive | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Audits and risk management | Preventive | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Audits and risk management | Preventive | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 [The scope of content removal requests includes, but is not limited to, instances where the content is restricted in one or more markets the entity operates in, but not others. TC-IM-220a.6. 1.1 {content removal request} The scope of requests the entity complied with shall include requests that resulted in full or partial compliance with the disclosure request within the reporting period. TC-IM-220a.6. 2.2] | Audits and risk management | Preventive | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Audits and risk management | Preventive | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Audits and risk management | Preventive | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Audits and risk management | Preventive | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Audits and risk management | Preventive | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Audits and risk management | Preventive | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 [Where relevant, the entity shall discuss its policies and practices related to freedom of expression, including how they influence its decision making when operating in countries that may request or require some form of monitoring, blocking, content filtering, or censoring of the entity's content. Note to TC-IM-220a.5 4 Where relevant, the entity shall discuss its policies and practices related to freedom of expression, including how they influence its decision making when operating in countries that may request or require some form of monitoring, blocking, content filtering, or censoring of the entity's content. Note to TC-IM-220a.5 4] | Audits and risk management | Preventive | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Audits and risk management | Preventive | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 [{government request}{law enforcement request}{user information} The scope of requests that resulted in disclosure shall include requests that resulted in full or partial compliance with the disclosure request within the reporting period. TC-IM-220a.4. 3.2] | Audits and risk management | Preventive | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 [The scope of disclosure shall include the users whose information is used by the entity itself for secondary purposes as well as the users whose information is provided to affiliates or non-affiliates to use for secondary purposes. TC-IM-220a.2. 2] | Audits and risk management | Preventive | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 [The scope of this requests that resulted in disclosure shall include disclosure of aggregated, de-identified, and anonymized data, which is intended to prevent the recipient from reconfiguring the data to identify an individual's actions or identity. TC-IM-220a.4. 3.3] | Audits and risk management | Preventive | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Audits and risk management | Preventive | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Audits and risk management | Preventive | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Audits and risk management | Preventive | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Audits and risk management | Preventive | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Audits and risk management | Preventive | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Audits and risk management | Preventive | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Audits and risk management | Preventive | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Audits and risk management | Preventive | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Audits and risk management | Preventive | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Audits and risk management | Preventive | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Audits and risk management | Preventive | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Audits and risk management | Preventive | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Audits and risk management | Preventive | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Audits and risk management | Preventive | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Audits and risk management | Preventive | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Audits and risk management | Preventive | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Audits and risk management | Preventive | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Audits and risk management | Preventive | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Audits and risk management | Preventive | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Audits and risk management | Preventive | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Audits and risk management | Preventive | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Audits and risk management | Preventive | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Audits and risk management | Preventive | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Audits and risk management | Preventive | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Audits and risk management | Preventive | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Audits and risk management | Preventive | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Audits and risk management | Preventive | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Audits and risk management | Preventive | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Audits and risk management | Preventive | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Audits and risk management | Preventive | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Audits and risk management | Preventive | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Audits and risk management | Preventive | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Audits and risk management | Preventive | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Audits and risk management | Preventive | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Audits and risk management | Preventive | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Audits and risk management | Preventive | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Audits and risk management | Preventive | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Audits and risk management | Preventive | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Audits and risk management | Preventive | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Audits and risk management | Preventive | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Audits and risk management | Preventive | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 [{environmental considerations} The scope of disclosure includes considerations for existing owned _primary-noun">d"background-color:#CBD0E5;" class="term_secondary-verb">ata centers, development of new data centers, and outsourcing of data center services, where relevant. TC-IM-130a.3. 3] | Audits and risk management | Preventive | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 [The scope of this disclosure includes company operations that have been discontinued, or were never offered, in a region due to government activity related to monitoring, blocking, content filtering, or censoring. TC-IM-220a.5. 2 {governmental body}{judicial authority} The entity shall disclose a list of the countries where its products and services are monitored, blocked, content is filtered, or censored due to governmental, judicial, or law enforcement requests or requirements, where: TC-IM-220a.5. 1] | Audits and risk management | Preventive | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Audits and risk management | Preventive | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 [The entity may discuss implications of blocking or censorship, such as affecting ability to grow market share, or increased costs to comply with these restrictions. Note to TC-IM-220a.5 2] | Audits and risk management | Preventive | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall nd-color:#B7D8ED;" class="term_primary-verb">identify</span> the product or service ="background-color:#CBD0E5;" class="term_secondary-verb">affected and discuss the nature of the modification, indicating whether modification was undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its home country or other significant markets. Note to TC-IM-220a.5 3] | Audits and risk management | Preventive | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall identify the product or service affected and rm_primary-verb">discuss the round-color:#F0BBBC;" class="term_primary-noun">nature of the modification, indicating whether modification was term_secondary-verb">undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its home country or other significant markets. Note to TC-IM-220a.5 3] | Audits and risk management | Preventive | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall identify the product or service affected and discuss the nature of the modification, indicating whether modification was undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its <span style="background-color:#F0BBBC;" class="term_primary-noun">home country or other significant markets. Note to TC-IM-220a.5 3] | Audits and risk management | Preventive | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Audits and risk management | Preventive | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Audits and risk management | Preventive | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Audits and risk management | Preventive | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Audits and risk management | Preventive | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Audits and risk management | Preventive | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Audits and risk management | Preventive | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Audits and risk management | Preventive | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Audits and risk management | Preventive | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Audits and risk management | Preventive | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Audits and risk management | Preventive | |
| Include the employee representation program in the disclosure report. CC ID 15628 [The entity shall describe its policies and programs for fostering equitable employee representation across its global operations. Note to TC-IM-330a.3 1] | Audits and risk management | Preventive | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Audits and risk management | Preventive | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Audits and risk management | Preventive | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Audits and risk management | Preventive | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Audits and risk management | Preventive | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Audits and risk management | Preventive | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Audits and risk management | Preventive | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Audits and risk management | Preventive | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Audits and risk management | Preventive | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Audits and risk management | Preventive | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Audits and risk management | Preventive | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Audits and risk management | Preventive | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Audits and risk management | Preventive | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Audits and risk management | Preventive | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Audits and risk management | Preventive | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Audits and risk management | Preventive | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Audits and risk management | Preventive | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Audits and risk management | Preventive | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Audits and risk management | Preventive | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Audits and risk management | Preventive | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Audits and risk management | Preventive | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Audits and risk management | Preventive | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Audits and risk management | Preventive | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Audits and risk management | Preventive | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Audits and risk management | Preventive | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 [The entity shall describe potential risks from recruiting foreign nationals, which may arise from immigration, naturalization, or visa regulations. Note to TC-IM-330a.1 1] | Audits and risk management | Preventive | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Audits and risk management | Preventive | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Audits and risk management | Preventive | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Audits and risk management | Preventive | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Audits and risk management | Preventive | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Audits and risk management | Preventive | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Audits and risk management | Preventive | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Audits and risk management | Preventive | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Audits and risk management | Preventive | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Audits and risk management | Preventive | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Audits and risk management | Preventive | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Audits and risk management | Preventive | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Audits and risk management | Preventive | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 | Audits and risk management | Preventive | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Audits and risk management | Preventive | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Audits and risk management | Preventive | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Audits and risk management | Preventive | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Audits and risk management | Preventive | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Audits and risk management | Preventive | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Audits and risk management | Preventive | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Audits and risk management | Preventive | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Audits and risk management | Preventive | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Audits and risk management | Preventive | |
| Include the material of spills in the disclosure report. CC ID 15968 | Audits and risk management | Preventive | |
| Include the location of spills in the disclosure report. CC ID 15964 | Audits and risk management | Preventive | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Audits and risk management | Preventive | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Audits and risk management | Preventive | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Audits and risk management | Preventive | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Audits and risk management | Preventive | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Audits and risk management | Preventive | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Audits and risk management | Preventive | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 [{hydropower source}{relevant authority}For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited to the following: Energy from hydro sources is round-color:#B7D8ED;" class="term_primary-verb">limited to those that are m_secondary-verb">certified by the Low Impact Hydropower Institute or that are eligible for a state Renewable Portfolio Standard; TC-IM-130a.1. 3.4.1 {hydropower source}For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited to the following: Energy from biomass sources is limited to materials r:#CBD0E5;" class="term_secondary-verb">certified to a third-party standard (e.g., Forest Stewardship Council, Sustainable Forest Initiative, Programme for the Endorsement of Forest Certification, or American Tree Farm System), materials considered eligible sources of supply according to the Green-e Framework for Renewable Energy Certification, Version 1.0 (2017) or Green-e regional standards, and/or materials that are eligible for an applicable state renewable portfolio standard. TC-IM-130a.1. 3.4.2 For any renewable electricity generated on-site, any RECs and GOs must be retained (i.e., not sold) and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. TC-IM-130a.1. 3.3.1 For renewable PPAs and green power products, the agreement must explicitly include and convey that RECs and GOs be retained or replaced and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. TC-IM-130a.1. 3.3.2 The scope of renewable energy includes renewable fuel the entity consumed, renewable energy the entity directly produced, and renewable energy the entity purchased, if purchased through a renewable power purchase agreement (PPA) that explicitly includes renewable energy certificates (RECs) or Guarantees of Origin (GOs), a Green e Energy Certified utility or supplier program, or other green power products that explicitly ‐ include RECs or GOs, or for which Green e Energy Certified RECs are paired with grid electricity. TC-IM-130a.1. 3.3] | Audits and risk management | Preventive | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 [The scope of energy consumption includes energy from all sources, including energy purchased from sources external to the entity and energy produced by the entity itself (self-generated). For example, direct fuel usage, purchased electricity, and heating, cooling, and steam energy are all included within the scope of energy consumption. TC-IM-130a.1. 1.1 The scope of energy consumption includes only energy directly consumed by the entity during the reporting period. TC-IM-130a.1. 1.2 The renewable portion of the electricity grid mix that is outside of the control or influence of the entity is excluded from the scope of renewable energy. TC-IM-130a.1. 3.3.3] | Audits and risk management | Preventive | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Audits and risk management | Preventive | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Audits and risk management | Preventive | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Audits and risk management | Preventive | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Audits and risk management | Preventive | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Audits and risk management | Preventive | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Audits and risk management | Preventive | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Audits and risk management | Preventive | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Audits and risk management | Preventive | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Audits and risk management | Preventive | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Audits and risk management | Preventive | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Audits and risk management | Preventive | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Audits and risk management | Preventive | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Audits and risk management | Preventive | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Audits and risk management | Preventive | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Audits and risk management | Preventive | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Audits and risk management | Preventive | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Audits and risk management | Preventive | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Audits and risk management | Preventive | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Audits and risk management | Preventive | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Audits and risk management | Preventive | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Audits and risk management | Preventive | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Audits and risk management | Preventive | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Audits and risk management | Preventive | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Audits and risk management | Preventive | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Audits and risk management | Preventive | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Audits and risk management | Preventive | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Audits and risk management | Preventive | |
| Include trends in incident type in the disclosure report. CC ID 15510 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Audits and risk management | Preventive | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Audits and risk management | Preventive | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Audits and risk management | Preventive | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Audits and risk management | Preventive | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Audits and risk management | Preventive | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Audits and risk management | Preventive | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Audits and risk management | Preventive | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Audits and risk management | Preventive | |
| Include water quality standards in the disclosure report. CC ID 15756 | Audits and risk management | Preventive | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Audits and risk management | Preventive | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 [The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. TC-IM-230a.1. 2.2] | Audits and risk management | Preventive | |
| Include recycling in the disclosure report. CC ID 15579 | Audits and risk management | Preventive | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Audits and risk management | Preventive | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Audits and risk management | Preventive | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Audits and risk management | Preventive | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Audits and risk management | Preventive | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Audits and risk management | Preventive | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Audits and risk management | Preventive | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Audits and risk management | Preventive | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 [{disclose}{monetary loss} The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). TC-IM-220a.3. 3 {disclose}{monetary loss} The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). TC-IM-520a.1. 3] | Audits and risk management | Preventive | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 [{first-party advertising} The scope of disclosure includes both first- and third-party advertising. TC-IM-220a.1. 5] | Audits and risk management | Preventive | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Audits and risk management | Preventive | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Audits and risk management | Preventive | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Audits and risk management | Preventive | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Audits and risk management | Preventive | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 [The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. TC-IM-230a.1. 2.2] | Audits and risk management | Preventive | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 [The scope of disclosure is limited to data breaches that resulted in a deviation from the entity's expected outcomes for confidentiality and/or integrity. TC-IM-230a.1. 1.2] | Audits and risk management | Preventive | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 [The scope of disclosure is limited to breaches in which users were notified of the breach, either as required by law or voluntarily by the entity. TC-IM-230a.1. 2.3] | Audits and risk management | Preventive | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Audits and risk management | Preventive | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Audits and risk management | Preventive | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Audits and risk management | Preventive | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 [{legal fee} The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its ss="term_primary-noun">defense. TC-IM-220a.3. 4 {legal fee} The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its ss="term_primary-noun">defense. TC-IM-520a.1. 4] | Audits and risk management | Preventive | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Audits and risk management | Preventive | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1 The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Audits and risk management | Preventive | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Audits and risk management | Preventive | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Audits and risk management | Preventive | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 | Audits and risk management | Preventive | |
| Include the organization's name in the disclosure report. CC ID 15668 | Audits and risk management | Preventive | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Audits and risk management | Preventive | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 | Audits and risk management | Preventive | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 | Audits and risk management | Preventive | |
| Include a list of material topics in the disclosure report. CC ID 15656 | Audits and risk management | Preventive | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 | Audits and risk management | Preventive | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Audits and risk management | Preventive | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 | Audits and risk management | Preventive | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Audits and risk management | Preventive | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Audits and risk management | Preventive | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 | Audits and risk management | Preventive | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 | Audits and risk management | Preventive | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 | Audits and risk management | Preventive | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Audits and risk management | Preventive | |
| Include the impact duration in the disclosure report. CC ID 16036 | Audits and risk management | Preventive | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Audits and risk management | Preventive | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 | Audits and risk management | Preventive | |
| Refrain from including the same data in other required disclosures, as necessary. CC ID 15732 | Audits and risk management | Preventive | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Audits and risk management | Preventive | |
| Include risks to the achievement of goals and targets in the disclosure report. CC ID 16166 | Audits and risk management | Preventive | |
| Include the timelines for achieving goals and targets in the disclosure report. CC ID 16164 | Audits and risk management | Preventive | |
| Include the mechanisms for achieving goals and targets in the disclosure report. CC ID 16144 | Audits and risk management | Preventive | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 | Audits and risk management | Preventive | |
| Include a justification for disclosures that do not reconcile with data reported in other required disclosures in the disclosure report. CC ID 16053 | Audits and risk management | Preventive | |
| Include historical information and future-oriented information in the disclosure report. CC ID 16336 | Audits and risk management | Preventive | |
| Include preventive actions in the disclosure report. CC ID 15796 | Audits and risk management | Preventive | |
| Include the methodology for reporting future-oriented information in the disclosure report. CC ID 16335 | Audits and risk management | Preventive | |
| Include the reporting period in the disclosure report. CC ID 15661 | Audits and risk management | Preventive | |
| Include restatements of information from previous reporting periods and an explanation for their use in the disclosure report. CC ID 15827 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the disclosure report. CC ID 15846 | Audits and risk management | Preventive | |
| Include the organization's location in the disclosure report. CC ID 16311 | Audits and risk management | Preventive | |
| Include how conflicts of interest in roles are handled in the disclosure report. CC ID 15848 | Audits and risk management | Preventive | |
| Include the reporting structure in the disclosure report. CC ID 15845 | Audits and risk management | Preventive | |
| Include a description of whistleblowing mechanisms in the disclosure report. CC ID 16027 | Audits and risk management | Preventive | |
| Include the differences between the list of entities in financial reporting and in sustainability reporting in the disclosure report. CC ID 15874 | Audits and risk management | Preventive | |
| Include the governance structure in the disclosure report. CC ID 15840 | Audits and risk management | Preventive | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Audits and risk management | Preventive | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Audits and risk management | Preventive | |
| Include a description of significant fluctuations in the total number of contractors and outsource partners in the disclosure report. CC ID 15839 | Audits and risk management | Preventive | |
| Include a description of contractual relationships in the disclosure report. CC ID 15838 | Audits and risk management | Preventive | |
| Include a description of significant fluctuations in the total number of employees in the disclosure report. CC ID 15836 | Audits and risk management | Preventive | |
| Include research findings based on previous and current research methodologies in the disclosure report. CC ID 15630 [The entity may disclose results of other survey findings, such as the percentage of employees who are: proud of their work/where they work, inspired by their work/co-workers, and aligned with corporate strategy and goals. Note to TC-IM-330a.2 4 When the survey methodology has changed compared to previous reporting years, the entity shall indicate results based on both the old and new methods for the year in which the change is made. Note to TC-IM-330a.2 2] | Audits and risk management | Preventive | |
| Include the methodology used to report numbers in the disclosure report. CC ID 15841 | Audits and risk management | Preventive | |
| Include definitions of terms in the disclosure report. CC ID 15832 | Audits and risk management | Preventive | |
| Include a description of third party relationships in the disclosure report. CC ID 15830 | Audits and risk management | Preventive | |
| Include the type of work performed by contractors and outsource partners in the disclosure report. CC ID 15842 | Audits and risk management | Preventive | |
| Include any changes made to information in restatements in the disclosure report. CC ID 15829 | Audits and risk management | Preventive | |
| Include the criteria for determining when to use restatements in the disclosure report. CC ID 15828 | Audits and risk management | Preventive | |
| Include points of contact in the disclosure report. CC ID 15826 | Audits and risk management | Preventive | |
| Include the reason that reporting periods for different reports do not align in the disclosure report. CC ID 15825 | Audits and risk management | Preventive | |
| Include a description of how information is consolidated in the disclosure report. CC ID 15824 | Audits and risk management | Preventive | |
| Include the legal form of organization in the disclosure report. CC ID 15823 | Audits and risk management | Preventive | |
| Include the ownership structure in the disclosure report. CC ID 15822 | Audits and risk management | Preventive | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Audits and risk management | Preventive | |
| Include the processes used to collect and monitor in scope information in the disclosure report. CC ID 15779 | Audits and risk management | Preventive | |
| Refrain from including out of scope information in the disclosure report. CC ID 15793 | Audits and risk management | Preventive | |
| Include the processes used to assess third party compliance in the disclosure report. CC ID 15773 | Audits and risk management | Preventive | |
| Include the calculation methodology in the disclosure report. CC ID 15733 [{employee engagement}The entity shall briefly describe: The methodology used to calculate the mary-noun">percentage Note to TC-IM-330a.2 1.2] | Audits and risk management | Preventive | |
| Include the rationale for choosing the calculation methodology in the disclosure report. CC ID 15734 | Audits and risk management | Preventive | |
| Include the effects of changes to calculation methodologies in the disclosure report. CC ID 16344 | Audits and risk management | Preventive | |
| Include the source of conversion factors in the disclosure report. CC ID 15747 | Audits and risk management | Preventive | |
| Include known limitations in the disclosure report. CC ID 15669 | Audits and risk management | Preventive | |
| Include the lessons learned in the disclosure report. CC ID 15689 | Audits and risk management | Preventive | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 | Audits and risk management | Preventive | |
| Include whether training requirements apply to third parties in the disclosure report. CC ID 15727 | Audits and risk management | Preventive | |
| Include a link to the content index in the disclosure report. CC ID 15666 | Audits and risk management | Preventive | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 | Audits and risk management | Preventive | |
| Include supplemental disclosures in the disclosure report. CC ID 15629 [{gender representation}{racial group representation} The entity may provide> nd-color:#F0BBBC;" class="term_primary-noun">supplemental disclosures on gender and/or racial/ethnic group representation by country or region. TC-IM-330a.3. 7 {gender representation}{racial group representation} The entity may provide supplemental contextual disclosures on factors that significantly erm_secondary-verb">influence gender and/or racial/ethnic group representation, such as the country or region where employees are located. TC-IM-330a.3. 8] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [{external requirement}{job description} For U.S. employees, the entity shall categorize the employeesan> in accordance with the Equal Employment Opportunity Commission's Employer Information EEO-1 report (EEO-1 Survey) Instruction Booklet, where each employee category for disclosure is class="term_secondary-verb">defined by corresponding job categories and descriptions in the Instruction Booklet: TC-IM-330a.3. 3 {external requirement} For non-U.S. employees, the entity shall categorize the employees in a manner generally consistent with the definitions provided above, though ="background-color:#CBD0E5;" class="term_secondary-verb">in accordance with, and further facilitated by, any applicable local regulations, guidance, or generally accepted definitions. TC-IM-330a.3. 4] | Human Resources management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Preventive | |
| Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Create an incident response report following an incident response. CC ID 12700 | Operational management | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [The entity shall describe the corrective actions taken in response to specific incidents, such as changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-230a.1 1] | Operational management | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Preventive | |
| Include risks and opportunities in the environmental management system. CC ID 15201 [{level}{be higher} The entity shall analyze all of its operations for water risks and identify activities that withdraw and consume water in locations with High (40–80 percent) or Extremely High (>80 percent) Baseline Water Stress as classified by the World Resources Institute's (WRI) Water Risk Atlas tool, Aqueduct. TC-IM-130a.2. 4 {level}{be higher} The entity shall analyze all of its operations for water risks and identify activities that withdraw and consume water in background-color:#F0BBBC;" class="term_primary-noun">locations with High (40–80 percent) or Extremely High (>80 percent) Baseline Water Stress as classified by the World Resources Institute's (WRI) Water Risk Atlas tool, Aqueduct. TC-IM-130a.2. 4] | Operational management | Preventive | |
| Include the organization's significant environmental aspects in the environmental management system. CC ID 15176 [{integration}{environmental considerations} Discussion shall include, but is not limited to, how environmental factors impact the entity's decisions regarding the siting, design, construction, refurbishment, and operations of e="background-color:#F0BBBC;" class="term_primary-noun">data centers. TC-IM-130a.3. 2] | Operational management | Preventive | |
| Establish, implement, and maintain an environmental policy. CC ID 14947 | Operational management | Preventive | |
| Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974 [The entity shall describe its approach to the integration of environmental considerations, including energy and water use, into strategic planning for data centers. TC-IM-130a.3. 1] | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{information lifecycle} The entity shall describe the information "lifecycle" (i.e., collection, usage, retention, processing, disclosure, and destruction of information) and how information-handling practices at each stage may affect individuals' privacy. TC-IM-220a.1. 2] | Privacy protection for information and data | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Preventive | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Privacy protection for information and data | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 | Privacy protection for information and data | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Privacy protection for information and data | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Preventive | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Privacy protection for information and data | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Privacy protection for information and data | Preventive | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Privacy protection for information and data | Preventive | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Privacy protection for information and data | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Preventive | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Privacy protection for information and data | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Privacy protection for information and data | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Preventive | |
| Specify the time frame that notice will be given. CC ID 00385 | Privacy protection for information and data | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Privacy protection for information and data | Preventive | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Privacy protection for information and data | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Preventive | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Privacy protection for information and data | Corrective | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Preventive | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Preventive | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Preventive | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Preventive | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Preventive | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Preventive | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Privacy protection for information and data | Preventive | |
| Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Preventive | |
| Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Preventive | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Preventive | |
| Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Preventive | |
| Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Preventive | |
| Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Preventive | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Preventive | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Preventive | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Preventive | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Preventive | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Preventive | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Preventive | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Preventive | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Preventive | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Preventive | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Preventive | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Preventive | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Preventive | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 | Privacy protection for information and data | Preventive | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Preventive | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Preventive | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Preventive | |
| Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Preventive | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy, with a specific focus on how it addresses the collection, usage, and retention of user information. TC-IM-220a.1. 1] | Privacy protection for information and data | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Detective | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Preventive | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 | Privacy protection for information and data | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 | Privacy protection for information and data | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Privacy protection for information and data | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Preventive | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Privacy protection for information and data | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Privacy protection for information and data | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Consumer control: allowing users to choose whether data is collected or transferred to | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Privacy protection for information and data | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Accountability: le="background-color:#F0BBBC;" class="term_primary-noun">participation in self-regulatory organizations such as the Direct Marketing Association TC-IM-220a.1. 6.7] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Preventive | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Preventive | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Preventive | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Preventive | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Preventive | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Preventive | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Preventive | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Preventive | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Preventive | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Preventive | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Preventive | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Preventive | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Preventive | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Preventive | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Preventive | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Preventive | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Preventive | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Preventive | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Preventive | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5 The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5] | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 [The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5] | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
| Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Privacy protection for information and data | Preventive | |
| Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [{information lifecycle} The entity shall describe the information "lifecycle" (i.e., collection, usage, retention, processing, disclosure, and destruction of information) and how information-handling practices at each stage may affect individuals' noun">privacy. TC-IM-220a.1. 2] | Privacy protection for information and data | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Privacy protection for information and data | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [{external requirement} The entity shall discuss the degree to which its policies and practices address similar issues as those outlined in the U.S. Office of Management and Budget's "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessments (PIAs). TC-IM-220a.1. 3] | Privacy protection for information and data | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities ass="term_primary-noun">individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), y-verb">including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the class="term_primary-noun">information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide imary-noun">information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Preventive | |
| File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Corrective | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Privacy protection for information and data | Preventive | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Preventive | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Privacy protection for information and data | Preventive | |
| Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Preventive | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Preventive | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Corrective | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Privacy protection for information and data | Detective | |
| Define the organization's liability based on the applicable law. CC ID 00504 | Privacy protection for information and data | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Preventive | |
| Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a customer due diligence program. CC ID 13618 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Preventive | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Categorize the gender of all employees. CC ID 15609 [{not be available} The entity shall categorize the gender of its le="background-color:#F0BBBC;" class="term_primary-noun">employees as female, male, or ary-verb">not disclosed/available. TC-IM-330a.3. 5] | Human Resources management | Preventive | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 [{racial group}{external requirement}{not be available} The entity shall categorize the racial/ethnic group of its U.S. employees in accordance with the EEO-1 Survey Instruction Booklet and use the following categories: Asian, Black or African American, Hispanic or Latino, White, Other (which includes Native American or Alaska Native, Native Hawaiian or Pacific Islander, and "Two or More Races" classifications), or not disclosed/available. TC-IM-330a.3. 6 {racial group}{external requirement}{not be available} The entity shall categorize the racial/ethnic group of its U.S. employees in accordance with the EEO-1 Survey Instruction Booklet and e="background-color:#B7D8ED;" class="term_primary-verb">use the following mary-noun">categories: Asian, Black or African American, Hispanic or Latino, White, Other (which includes Native American or Alaska Native, Native Hawaiian or Pacific Islander, and "Two or More Races" classifications), or not disclosed/available. TC-IM-330a.3. 6] | Human Resources management | Preventive | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources management | Preventive | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources management | Preventive | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Preventive | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources management | Preventive | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources management | Preventive | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Preventive | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Preventive | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Preventive | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Preventive | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Preventive | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Preventive | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Preventive | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Preventive | |
| Approve the wording of job applications. CC ID 16182 | Human Resources management | Preventive | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Preventive | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Preventive | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Preventive | |
| Conduct official proceedings, as necessary. CC ID 13836 | Operational management | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Privacy protection for information and data | Preventive | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Preventive | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Preventive | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Preventive | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Detective | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Preventive | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Detective | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 [Disclosure shall include, but is not limited to: If the third-party verification of the use of cybersecurity risk management standards is conducted, including independent examinations or audits TC-IM-230a.2. 3.3.4] | Audits and risk management | Detective | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Detective | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
| Analyze the appropriateness of the customer due diligence program, as necessary. CC ID 13621 | Privacy protection for information and data | Preventive | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 [{external requirement} The entity shall discuss the degree to which its policies and practices address similar " class="term_primary-noun">issues as those style="background-color:#CBD0E5;" class="term_secondary-verb">outlined in the U.S. Office of Management and Budget's "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessments (PIAs). TC-IM-220a.1. 3] | Monitoring and measurement | Preventive | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
| Include ongoing monitoring in the customer due diligence program. CC ID 16629 | Privacy protection for information and data | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 [The entity shall briefly describe: The source of its survey (e.g., third-party survey or entity's own) Note to TC-IM-330a.2 1.1] | Leadership and high level objectives | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
| Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Preventive | |
| Convert data into standard units before reporting metrics. CC ID 15507 [The entity shall apply conversion factors consistently for all data reported under this disclosure, such as the use of HHVs for fuel usage (including biofuels) and conversion of kilowatt hours (kWh) to GJ (for energy data including electricity from solar or wind energy). TC-IM-130a.1. 4 If employee engagement is measured as an index (e.g., strength of employee agreement with a survey statement), the entity shall convert the index into a percentage for this disclosure. TC-IM-330a.2. 1.2] | Monitoring and measurement | Corrective | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Audits and risk management | Preventive | |
| Conduct hearings, as necessary. CC ID 13016 | Operational management | Detective | |
| Analyze environmental aspects using established criteria. CC ID 15230 | Operational management | Detective | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Detective | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Preventive | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Preventive | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Preventive | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive | |
| Determine if customer due diligence measures are needed for existing customers. CC ID 16604 | Privacy protection for information and data | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Preventive | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Preventive | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Corrective | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Corrective | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Preventive | |
| Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Privacy protection for information and data | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Preventive | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Preventive | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Data security: providing basic security provisions and having clear policies relating to retentolor:#CBD0E5;" class="term_secondary-verb">ion> of lor:#F0BBBC;" class="term_primary-noun">user information TC-IM-220a.1. 6.4] | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Detective | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Detective | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Conduct personal data processing training. CC ID 13757 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Education: participation in educational efforts for consumers about behavioral online advertising TC-IM-220a.1. 6.1] | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Technical Security | |
| Convert data into standard units before reporting metrics. CC ID 15507 [The entity shall apply conversion factors consistently for all data reported under this disclosure, such as the use of HHVs for fuel usage (including biofuels) and conversion of kilowatt hours (kWh) to GJ (for energy data including electricity from solar or wind energy). TC-IM-130a.1. 4 If employee engagement is measured as an index (e.g., strength of employee agreement with a survey statement), the entity shall convert the index into a percentage for this disclosure. TC-IM-330a.2. 1.2] | Monitoring and measurement | Process or Activity | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-220a.3 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-520a.1 2] | Audits and risk management | Actionable Reports or Measurements | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology. TC-IM-230a.2. 2 The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology. TC-IM-230a.2. 2 The entity shall describe management's approach to addressing the risks it has identified related to recruiting foreign nationals, which may include developing local talent pools, political lobbying for immigration reform, outsourcing of operations, or joining or forming industry partnerships. Note to TC-IM-330a.1 2] | Audits and risk management | Establish/Maintain Documentation | |
| Communicate rulings to interested personnel and affected parties. CC ID 14860 [{disclose}{monetary loss}{result} The legal proceedings shall include any oun">adjudicative proceeding in which the entity was yle="background-color:#CBD0E5;" class="term_secondary-verb">involved, whether before a court, a regulator, an arbitrator, or otherwise. TC-IM-220a.3. 2 {disclose}{monetary loss}{result} The legal proceedings shall include any oun">adjudicative proceeding in which the entity was yle="background-color:#CBD0E5;" class="term_secondary-verb">involved, whether before a court, a regulator, an arbitrator, or otherwise. TC-IM-520a.1. 2] | Operational management | Communicate | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Records Management | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Records Management | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Communicate | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Communicate | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Communicate | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Communicate | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Privacy protection for information and data | Data and Information Management | |
| File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Privacy protection for information and data | Behavior | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Behavior | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Behavior | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Privacy protection for information and data | Behavior | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Data and Information Management | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Business Processes | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Communicate | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Behavior | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Behavior | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Behavior | |
| Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Behavior | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Data and Information Management | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Testing | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 [The entity shall calculate and disclose (1) the total number of data breaches identified during the reporting period. TC-IM-230a.1. 1] | Monitoring and measurement | Actionable Reports or Measurements | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 [Disclosure shall include, but is not limited to: If the third-party verification of the use of cybersecurity risk management standards is conducted, including independent examinations or audits TC-IM-230a.2. 3.3.4] | Audits and risk management | Investigate | |
| Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952 [{racial group representation} The entity shall disclose gender representation for all employees and racial/ethnic group representation for its U.S. employees by employee category. TC-IM-330a.3. 1 {gender representation}{racial group representation} The entity may disclose gender and/or racial/ethnic group representation by employee category in the following table formats: TC-IM-330a.3. 9] | Audits and risk management | Actionable Reports or Measurements | |
| Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101 | Audits and risk management | Actionable Reports or Measurements | |
| Include revenues in the disclosure report. CC ID 16099 | Audits and risk management | Actionable Reports or Measurements | |
| Include the economic value distributed in the disclosure report. CC ID 16086 | Audits and risk management | Actionable Reports or Measurements | |
| Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092 | Audits and risk management | Actionable Reports or Measurements | |
| Include total monetary value of payments to governments in the disclosure report. CC ID 16091 | Audits and risk management | Actionable Reports or Measurements | |
| Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090 | Audits and risk management | Actionable Reports or Measurements | |
| Include total monetary value of community investments in the disclosure report. CC ID 16089 | Audits and risk management | Actionable Reports or Measurements | |
| Include operating costs in the disclosure report. CC ID 16088 | Audits and risk management | Actionable Reports or Measurements | |
| Include economic value retained in the disclosure report. CC ID 16094 | Audits and risk management | Actionable Reports or Measurements | |
| Include the direct economic value generated and distributed in the disclosure report. CC ID 16085 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048 | Audits and risk management | Actionable Reports or Measurements | |
| Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046 | Audits and risk management | Actionable Reports or Measurements | |
| Include revenues from third party sales in the disclosure report. CC ID 16045 | Audits and risk management | Actionable Reports or Measurements | |
| Include the profit and loss before tax in the disclosure report. CC ID 16044 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of incidents of corruption in the disclosure report. CC ID 16066 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038 | Audits and risk management | Actionable Reports or Measurements | |
| Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032 | Audits and risk management | Actionable Reports or Measurements | |
| Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008 | Audits and risk management | Actionable Reports or Measurements | |
| Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total amount of significant air emissions in the disclosure report. CC ID 16005 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of particulate matter in the disclosure report. CC ID 16077 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076 | Audits and risk management | Actionable Reports or Measurements | |
| Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of legal actions against the organization in the disclosure report. CC ID 16003 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total volume of significant spills in the disclosure report. CC ID 16010 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of significant spills in the disclosure report. CC ID 15965 | Audits and risk management | Actionable Reports or Measurements | |
| Include the performance qualification score of laptops in the disclosure report. CC ID 16176 | Audits and risk management | Actionable Reports or Measurements | |
| Include the battery life score of laptops in the disclosure report. CC ID 16175 | Audits and risk management | Actionable Reports or Measurements | |
| Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174 | Audits and risk management | Actionable Reports or Measurements | |
| Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172 | Audits and risk management | Actionable Reports or Measurements | |
| Include the energy efficiency of server processors in the disclosure report. CC ID 16170 | Audits and risk management | Actionable Reports or Measurements | |
| Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159 | Audits and risk management | Actionable Reports or Measurements | |
| Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160 | Audits and risk management | Actionable Reports or Measurements | |
| Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157 | Audits and risk management | Actionable Reports or Measurements | |
| Include the average actual sustained download speed in the disclosure report. CC ID 15568 | Audits and risk management | Actionable Reports or Measurements | |
| Include the average advertised download speed in the disclosure report. CC ID 15567 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949 [{level}{be higher} The entity shall disclose its water withdrawn in locations with High or Extremely High d-color:#F0BBBC;" class="term_primary-noun">Baseline Water Stress as a percentage of the total water withdrawn. TC-IM-130a.2. 5] | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948 [{level}{be higher} The entity shall disclose its water consumed in locations with High or Extremely High -color:#F0BBBC;" class="term_primary-noun">Baseline Water Stress as a percentage of the total water consumed. TC-IM-130a.2. 6] | Audits and risk management | Actionable Reports or Measurements | |
| Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103 | Audits and risk management | Actionable Reports or Measurements | |
| Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931 | Audits and risk management | Actionable Reports or Measurements | |
| Include the rate of new employee hires in the disclosure report. CC ID 15928 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of employees who left the organization in the disclosure report. CC ID 16127 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of employees that took parental leave in the disclosure report. CC ID 15955 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946 | Audits and risk management | Actionable Reports or Measurements | |
| Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958 | Audits and risk management | Actionable Reports or Measurements | |
| Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962 | Audits and risk management | Actionable Reports or Measurements | |
| Include the user average interruption duration in the disclosure report. CC ID 15558 | Audits and risk management | Actionable Reports or Measurements | |
| Include the system average interruption frequency in the disclosure report. CC ID 15565 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560 [{government request} The entity shall disclose (3) the percentage of government and law enforcement requests that resulted in disclosure to the ss="term_primary-noun">requesting party. TC-IM-220a.4. 3] | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951 [The entity shall disclose (3) the total number of unique users who were affected by data breaches, which includes all those whose personal data was compromised in a data breach. TC-IM-230a.1. 3] | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216 | Audits and risk management | Actionable Reports or Measurements | |
| Include the power usage effectiveness in the disclosure report. CC ID 15552 [The entity may disclose the trailing twelve-month (TTM) weighted average power usage effectiveness (PUE) for its data centers. TC-IM-130a.1. 5] | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549 [The entity shall disclose (3) the percentage of energy it consumed that is renewable energy. TC-IM-130a.1. 3] | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541 [The entity shall disclose (2) the percentage of energy it consumed that was supplied from grid electricity. TC-IM-130a.1. 2] | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574 | Audits and risk management | Actionable Reports or Measurements | |
| Include the weight of recovered materials in the disclosure report. CC ID 16203 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578 | Audits and risk management | Actionable Reports or Measurements | |
| Include the rate of work-related injuries in the disclosure report. CC ID 15944 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207 | Audits and risk management | Actionable Reports or Measurements | |
| Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953 | Audits and risk management | Actionable Reports or Measurements | |
| Conduct hearings, as necessary. CC ID 13016 | Operational management | Process or Activity | |
| Analyze environmental aspects using established criteria. CC ID 15230 | Operational management | Process or Activity | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Process or Activity | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Process or Activity | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Business Processes | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Investigate | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Investigate | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Human Resources Management | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Behavior | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Behavior | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Behavior | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Behavior | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Testing | |
| Determine if customer due diligence measures are needed for existing customers. CC ID 16604 | Privacy protection for information and data | Process or Activity | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Testing | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Testing | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Data and Information Management | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Behavior | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Data and Information Management | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Business Processes | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{data breaches} All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity's ability to maintain data privacy and rb">term_primary-noun">security. Note to TC-IM-230a.1 2 All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity's ability to maintain data privacy and security. TC-IM-230a.2. 6] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
| Establish and maintain the organization's survey method. CC ID 12869 [The entity shall briefly describe: The source of its survey (e.g., third-party survey or entity's own) Note to TC-IM-330a.2 1.1] | Leadership and high level objectives | Process or Activity | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Leadership and high level objectives | Business Processes | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Communicate | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Communicate | |
| Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Business Processes | |
| Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Investigate | |
| Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Communicate | |
| Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Process or Activity | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Communicate | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Communicate | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Disclosure shall include, but is not limited to: Description of the extent of its use of cybersecurity risk management standard(s), such as by applicable operations, business unit, geography, product, or information system TC-IM-230a.2. 3.3.2] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Disclosure shall include, but is not limited to: Identification of the specific cybersecurity risk management standard(s) that have been implemented or are otherwise in use TC-IM-230a.2. 3.3.1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 [The entity shall describe its use of third-party cybersecurity risk management standards. TC-IM-230a.2. 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the Authority Document list with external requirements. CC ID 06288 [Disclosure shall include, but is not limited to: Ongoing activities and initiatives related to increasing the use of class="term_primary-noun">cybersecurity risk management standards, even if such standards are not currently in use TC-IM-230a.2. 3.3.5] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk. TC-IM-230a.2. 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 [{external requirement} The entity shall discuss the degree to which its policies and practices address similar " class="term_primary-noun">issues as those style="background-color:#CBD0E5;" class="term_secondary-verb">outlined in the U.S. Office of Management and Budget's "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessments (PIAs). TC-IM-220a.1. 3] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 [The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy, with a specific focus on how it addresses the collection, usage, and retention of user information. TC-IM-220a.1. 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 [{appropriate authority} In calculating energy consumption from fuels and biofuels, the entity shall usean> tyle="background-color:#F0BBBC;" class="term_primary-noun">higher heating values (HHV), also known as gross calorific values (GCV), which are directly measured or taken from the Intergovernmental Panel on Climate Change (IPCC), the U.S. Department of Energy (DOE), or the U.S. Energy Information Administration (EIA). TC-IM-130a.1. 1.3 {external requirement} If disclosing PUE, the entity shall follow the guidance and kground-color:#F0BBBC;" class="term_primary-noun">calculation methodology described in PUE™: A Comprehensive Examination of the Metric (2014), published by ASHRAE and The Green Grid Association. TC-IM-130a.1. 5.2] | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 [{separate} User accounts that the entity cannot verify as belonging to the same individual shall be ackground-color:#_secondary-verb">B7D8ED;" class="term_primary-verb">disclosed separately. TC-IM-220a.2. 1.3 {separate} Accounts that the entity cannot verify as belonging to the same userspan> shall be und-color:#B7D8ED_secondary-verb">;" class="term_primary-verb">disclosed separately. TC-IM-230a.1. 3.1] | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 [The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal investigation or until the law enforcement agency determines that such notification does not compromise the investigation. TC-IM-230a.1. 4] | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Audits and Risk Management | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [Disclosure shall include, but is not limited to: The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
| Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Business Processes | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Business Processes | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The entity may provide disclosures by region or country. TC-IM-220a.6. 5] | Audits and risk management | Establish/Maintain Documentation | |
| Include a summary of the questions and statements from surveys or studies in the disclosure report. CC ID 15631 [The entity shall briefly describe: A summary of questions or statements included in the survey or term_primary-noun">study (e.g., those related to goal setting, support to achieve goals, training and development, work processes, and commitment to the organization) Note to TC-IM-330a.2 1.3] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that confidential information has been omitted in the disclosure report. CC ID 16598 | Audits and risk management | Establish/Maintain Documentation | |
| Include legal proceedings in the disclosure report. CC ID 15564 [{monetary loss} The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant :#F0BBBC;" class="term_primary-noun">industry regulations, such as: TC-IM-220a.3. 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: TC-IM-220a.3. 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: TC-IM-520a.1. 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant regulations, such as: TC-IM-520a.1. 5] | Audits and risk management | Establish/Maintain Documentation | |
| Include the context of monetary losses from legal proceedings in the disclosure report. CC ID 15533 [The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., unauthorized monitoring, sharing of data, children's privacy) of all monetary losses as a result of legal proceedings. Note to TC-IM-220a.3 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., price fixing, patent misuse, anti-trust) of all monetary losses as a result of legal proceedings. Note to TC-IM-520a.1 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of monetary losses from legal proceedings in the disclosure report. CC ID 15532 [The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., unauthorized monitoring, sharing of data, children's privacy) of all monetary losses as a result of legal proceedings. Note to TC-IM-220a.3 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with incidents relating to user privacy. TC-IM-220a.3. 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., price fixing, patent misuse, anti-trust) of all monetary losses as a result of legal proceedings. Note to TC-IM-520a.1 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include goals and targets in the disclosure report. CC ID 16339 | Audits and risk management | Establish/Maintain Documentation | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Audits and risk management | Establish/Maintain Documentation | |
| Include the relationship between organizational requirements and external requirements in the disclosure report. CC ID 16154 | Audits and risk management | Establish/Maintain Documentation | |
| Include external requirements in the disclosure report. CC ID 16150 | Audits and risk management | Establish/Maintain Documentation | |
| Include the classification of risks and opportunities posed by climate change in the disclosure report. CC ID 16096 | Audits and risk management | Establish/Maintain Documentation | |
| Include board oversight of risks and opportunities in the disclosure report. CC ID 16337 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management procedures in the disclosure report. CC ID 16058 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risk management strategy in the disclosure report. CC ID 16348 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk assessment procedures in the disclosure report. CC ID 16343 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's primary activities in the disclosure report. CC ID 16043 | Audits and risk management | Establish/Maintain Documentation | |
| Include business operations owned by the organization in the disclosure report. CC ID 15614 | Audits and risk management | Establish/Maintain Documentation | |
| Include critical business operations that support cloud services in the disclosure report. CC ID 15612 | Audits and risk management | Establish/Maintain Documentation | |
| Include the relationship between the tax strategy and the organizational strategy in the disclosure report. CC ID 16035 | Audits and risk management | Establish/Maintain Documentation | |
| Include reference to assurance statements in the disclosure report. CC ID 16033 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the disclosure report. CC ID 15916 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632 [{racial group representation} The entity shall disclose gender representation for all employees and racial/ethnic group representation for its U.S. employees by employee category. TC-IM-330a.3. 1 {gender representation}{racial group representation} The entity may disclose gender and/or racial/ethnic group representation by employee category in the following table formats: TC-IM-330a.3. 9] | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of individuals in each region in the disclosure report. CC ID 15835 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of individuals in each gender category in the disclosure report. CC ID 15633 | Audits and risk management | Establish/Maintain Documentation | |
| Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of incidents of discrimination in the disclosure report. CC ID 15788 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics criteria in the disclosure report. CC ID 16143 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management metrics in the disclosure report. CC ID 16345 | Audits and risk management | Establish/Maintain Documentation | |
| Include financial management metrics in the disclosure report. CC ID 16042 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on anti-corruption in the disclosure report. CC ID 16052 | Audits and risk management | Establish/Maintain Documentation | |
| Include environmental management metrics in the disclosure report. CC ID 16012 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on procurement practices in the disclosure report. CC ID 16011 | Audits and risk management | Establish/Maintain Documentation | |
| Include emissions management metrics in the disclosure report. CC ID 15987 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance metrics in the disclosure report. CC ID 15932 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548 [The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with anti-competitive behavior such as those related to enforcement of laws and regulations on price fixing, anti-trust behavior (e.g., exclusivity contracts), patent misuse, or network effects and bundling of services and products to limit competition. TC-IM-520a.1. 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on labor-management relations in the disclosure report. CC ID 15935 | Audits and risk management | Establish/Maintain Documentation | |
| Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895 | Audits and risk management | Establish/Maintain Documentation | |
| Include waste management metrics in the disclosure report. CC ID 15925 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of waste generated in the disclosure report. CC ID 15778 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of waste generated in the disclosure report. CC ID 15775 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776 | Audits and risk management | Establish/Maintain Documentation | |
| Include product and service management metrics in the disclosure report. CC ID 15917 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of products and services provided by the organization in the disclosure report. CC ID 15833 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811 | Audits and risk management | Establish/Maintain Documentation | |
| Include water management metrics in the disclosure report. CC ID 15924 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water withdrawal in the disclosure report. CC ID 15593 [The entity shall disclose the amount of water, in thousands of cubic meters, that was withdrawn from all sources. TC-IM-130a.2. 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of water withdrawal in the disclosure report. CC ID 15795 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water discharge in the disclosure report. CC ID 15758 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of water discharge in the disclosure report. CC ID 15759 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water consumption in the disclosure report. CC ID 15642 [{saltwater} The entity may disclose portions of its supply by "background-color:#F0BBBC;" class="term_primary-noun">source if, for example, significant portions of withdrawals are from non-freshwater sources. TC-IM-130a.2. 2 The entity shall disclose the amount of water, in thousands of cubic meters, that was consumed in its operations. TC-IM-130a.2. 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of complaints received in the disclosure report. CC ID 15728 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643 [If results are limited to a subset of employees, the entity shall include the percentage of employees included in the study or survey and the representativeness of the sample. Note to TC-IM-330a.2 3 If results are limited to a subset of employees, the entity shall include the percentage of employees included in the study or survey and the representativeness of the sample. Note to TC-IM-330a.2 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include employment practices metrics in the disclosure report. CC ID 15921 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622 [The entity shall disclose the percentage of employees that are foreign nationals. TC-IM-330a.1. 1] | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of employee engagement in the disclosure report. CC ID 15634 [The entity shall disclose employee engagement as a percentage. TC-IM-330a.2. 1] | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of offshore employees in the disclosure report. CC ID 15623 | Audits and risk management | Actionable Reports or Measurements | |
| Include the rate of employee turnover in the disclosure report. CC ID 15898 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of new employee hires in the disclosure report. CC ID 15896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of employees in the disclosure report. CC ID 15834 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on parental leave in the disclosure report. CC ID 15936 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of hours worked in the disclosure report. CC ID 15910 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on public policy advocacy in the disclosure report. CC ID 15947 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total monetary value of political contributions in the disclosure report. CC ID 15803 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on training and education in the disclosure report. CC ID 15940 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877 | Audits and risk management | Establish/Maintain Documentation | |
| Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726 | Audits and risk management | Actionable Reports or Measurements | |
| Include operational metrics in the disclosure report. CC ID 15939 | Audits and risk management | Establish/Maintain Documentation | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total user downtime in the disclosure report. CC ID 15635 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of operations performed by the organization in the disclosure report. CC ID 15831 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649 [{content removal request} The entity shall disclose the percentage of the requests from government or law enforcement agencies to remove content where the entity complied with the issuing agencies to remove content. TC-IM-220a.6. 2] | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557 [The entity shall disclose the number of unique users whose information is used for secondary purposes. TC-IM-220a.2. 1 The scope of disclosure shall include the users whose information is used by the entity itself for secondary purposes as well as the users whose information is provided to affiliates or non-affiliates to use for secondary purposes. TC-IM-220a.2. 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of content removal requests in the disclosure report. CC ID 15647 [The entity shall disclose the number of requests to remove content it received from government or law enforcement agencies. TC-IM-220a.6. 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542 [The entity shall disclose (1) the total number of unique requests for user information, including user content and non-content data, from government or law enforcement agencies. TC-IM-220a.4. 1 The entity shall disclose (2) the total number of unique users whose information was requested by government or law enforcement agencies. TC-IM-220a.4. 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543 [The entity shall disclose (2) the percentage of data breaches in which personally identifiable information (PII) was subject to the data breach. TC-IM-230a.1. 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include third party management metrics in the disclosure report. CC ID 15923 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on supplier social assessments in the disclosure report. CC ID 15938 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810 | Audits and risk management | Establish/Maintain Documentation | |
| Include customer health and safety management metrics in the disclosure report. CC ID 15922 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814 | Audits and risk management | Establish/Maintain Documentation | |
| Include energy management metrics in the disclosure report. CC ID 15920 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total energy reduction in the disclosure report. CC ID 15749 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751 | Audits and risk management | Establish/Maintain Documentation | |
| Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total heating sold in the disclosure report. CC ID 15739 | Audits and risk management | Establish/Maintain Documentation | |
| Include the energy intensity ratio in the disclosure report. CC ID 15735 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total electricity sold in the disclosure report. CC ID 15740 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total energy consumption in the disclosure report. CC ID 15506 [The entity shall disclose (1) the total amount of energy it consumed as an aggregate figure, in gigajoules (GJ). TC-IM-130a.1. 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total heating consumption in the disclosure report. CC ID 15743 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total cooling sold in the disclosure report. CC ID 15738 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total cooling consumption in the disclosure report. CC ID 15742 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total steam sold in the disclosure report. CC ID 15737 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total steam consumption in the disclosure report. CC ID 15741 | Audits and risk management | Establish/Maintain Documentation | |
| Include the fuel types used in the disclosure report. CC ID 15745 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials management metrics in the disclosure report. CC ID 15919 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791 | Audits and risk management | Establish/Maintain Documentation | |
| Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792 | Audits and risk management | Establish/Maintain Documentation | |
| Include occupational health and safety management metrics in the disclosure report. CC ID 15918 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of work-related injuries in the disclosure report. CC ID 15899 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of cases of work-related ill health in the disclosure report. CC ID 15914 | Audits and risk management | Establish/Maintain Documentation | |
| Include outsourcing arrangements in the disclosure report. CC ID 15621 [{environmental considerations} The scope of disclosure includes considerations for existing owned data centers, development of new data centers, and outsourcing of y-noun">data center services, where relevant. TC-IM-130a.3. 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include business operations outsourced to third parties in the disclosure report. CC ID 15616 | Audits and risk management | Establish/Maintain Documentation | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Audits and risk management | Establish/Maintain Documentation | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Audits and risk management | Establish/Maintain Documentation | |
| Include the content removal policy in the disclosure report. CC ID 15650 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3 The entity may break out categories of request type (e.g., copyright takedown notices, illegal hate speech). TC-IM-220a.6. 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 [The entity may describe its policy for determining whether to comply with a request to remove content, including under what conditions it will remain, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.6. 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 [The scope of content removal requests includes, but is not limited to, instances where the content is restricted in one or more markets the entity operates in, but not others. TC-IM-220a.6. 1.1 {content removal request} The scope of requests the entity complied with shall include requests that resulted in full or partial compliance with the disclosure request within the reporting period. TC-IM-220a.6. 2.2] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Audits and risk management | Establish/Maintain Documentation | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Audits and risk management | Establish/Maintain Documentation | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Audits and risk management | Establish/Maintain Documentation | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Audits and risk management | Establish/Maintain Documentation | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 [Where relevant, the entity shall discuss its policies and practices related to freedom of expression, including how they influence its decision making when operating in countries that may request or require some form of monitoring, blocking, content filtering, or censoring of the entity's content. Note to TC-IM-220a.5 4 Where relevant, the entity shall discuss its policies and practices related to freedom of expression, including how they influence its decision making when operating in countries that may request or require some form of monitoring, blocking, content filtering, or censoring of the entity's content. Note to TC-IM-220a.5 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Audits and risk management | Establish/Maintain Documentation | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 [{government request}{law enforcement request}{user information} The scope of requests that resulted in disclosure shall include requests that resulted in full or partial compliance with the disclosure request within the reporting period. TC-IM-220a.4. 3.2] | Audits and risk management | Establish/Maintain Documentation | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 [The scope of disclosure shall include the users whose information is used by the entity itself for secondary purposes as well as the users whose information is provided to affiliates or non-affiliates to use for secondary purposes. TC-IM-220a.2. 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 [The scope of this requests that resulted in disclosure shall include disclosure of aggregated, de-identified, and anonymized data, which is intended to prevent the recipient from reconfiguring the data to identify an individual's actions or identity. TC-IM-220a.4. 3.3] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Audits and risk management | Establish/Maintain Documentation | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Audits and risk management | Establish/Maintain Documentation | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Audits and risk management | Establish/Maintain Documentation | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Audits and risk management | Establish/Maintain Documentation | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Audits and risk management | Establish/Maintain Documentation | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Audits and risk management | Establish/Maintain Documentation | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Audits and risk management | Establish/Maintain Documentation | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Audits and risk management | Establish/Maintain Documentation | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Audits and risk management | Establish/Maintain Documentation | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Audits and risk management | Establish/Maintain Documentation | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Audits and risk management | Establish/Maintain Documentation | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Audits and risk management | Establish/Maintain Documentation | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Audits and risk management | Establish/Maintain Documentation | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Audits and risk management | Establish/Maintain Documentation | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 [{environmental considerations} The scope of disclosure includes considerations for existing owned _primary-noun">d"background-color:#CBD0E5;" class="term_secondary-verb">ata centers, development of new data centers, and outsourcing of data center services, where relevant. TC-IM-130a.3. 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 [The scope of this disclosure includes company operations that have been discontinued, or were never offered, in a region due to government activity related to monitoring, blocking, content filtering, or censoring. TC-IM-220a.5. 2 {governmental body}{judicial authority} The entity shall disclose a list of the countries where its products and services are monitored, blocked, content is filtered, or censored due to governmental, judicial, or law enforcement requests or requirements, where: TC-IM-220a.5. 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 [The entity may discuss implications of blocking or censorship, such as affecting ability to grow market share, or increased costs to comply with these restrictions. Note to TC-IM-220a.5 2] | Audits and risk management | Establish/Maintain Documentation | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall nd-color:#B7D8ED;" class="term_primary-verb">identify</span> the product or service ="background-color:#CBD0E5;" class="term_secondary-verb">affected and discuss the nature of the modification, indicating whether modification was undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its home country or other significant markets. Note to TC-IM-220a.5 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall identify the product or service affected and rm_primary-verb">discuss the round-color:#F0BBBC;" class="term_primary-noun">nature of the modification, indicating whether modification was term_secondary-verb">undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its home country or other significant markets. Note to TC-IM-220a.5 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 [{be material} For products and services that have been modified in a manner material to their functionality, the entity shall identify the product or service affected and discuss the nature of the modification, indicating whether modification was undertaken to avoid monitoring or blocking, or to enable monitoring or blocking. The entity shall describe how the modified product or service differs from the product or service offering in its <span style="background-color:#F0BBBC;" class="term_primary-noun">home country or other significant markets. Note to TC-IM-220a.5 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Audits and risk management | Establish/Maintain Documentation | |
| Include the employee representation program in the disclosure report. CC ID 15628 [The entity shall describe its policies and programs for fostering equitable employee representation across its global operations. Note to TC-IM-330a.3 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Audits and risk management | Establish/Maintain Documentation | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Audits and risk management | Establish/Maintain Documentation | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Audits and risk management | Establish/Maintain Documentation | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Audits and risk management | Establish/Maintain Documentation | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Audits and risk management | Establish/Maintain Documentation | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Audits and risk management | Establish/Maintain Documentation | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 [The entity shall describe potential risks from recruiting foreign nationals, which may arise from immigration, naturalization, or visa regulations. Note to TC-IM-330a.1 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Audits and risk management | Establish/Maintain Documentation | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Audits and risk management | Establish/Maintain Documentation | |
| Include the material of spills in the disclosure report. CC ID 15968 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of spills in the disclosure report. CC ID 15964 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Audits and risk management | Establish/Maintain Documentation | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 [{hydropower source}{relevant authority}For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited to the following: Energy from hydro sources is round-color:#B7D8ED;" class="term_primary-verb">limited to those that are m_secondary-verb">certified by the Low Impact Hydropower Institute or that are eligible for a state Renewable Portfolio Standard; TC-IM-130a.1. 3.4.1 {hydropower source}For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited to the following: Energy from biomass sources is limited to materials r:#CBD0E5;" class="term_secondary-verb">certified to a third-party standard (e.g., Forest Stewardship Council, Sustainable Forest Initiative, Programme for the Endorsement of Forest Certification, or American Tree Farm System), materials considered eligible sources of supply according to the Green-e Framework for Renewable Energy Certification, Version 1.0 (2017) or Green-e regional standards, and/or materials that are eligible for an applicable state renewable portfolio standard. TC-IM-130a.1. 3.4.2 For any renewable electricity generated on-site, any RECs and GOs must be retained (i.e., not sold) and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. TC-IM-130a.1. 3.3.1 For renewable PPAs and green power products, the agreement must explicitly include and convey that RECs and GOs be retained or replaced and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. TC-IM-130a.1. 3.3.2 The scope of renewable energy includes renewable fuel the entity consumed, renewable energy the entity directly produced, and renewable energy the entity purchased, if purchased through a renewable power purchase agreement (PPA) that explicitly includes renewable energy certificates (RECs) or Guarantees of Origin (GOs), a Green e Energy Certified utility or supplier program, or other green power products that explicitly ‐ include RECs or GOs, or for which Green e Energy Certified RECs are paired with grid electricity. TC-IM-130a.1. 3.3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 [The scope of energy consumption includes energy from all sources, including energy purchased from sources external to the entity and energy produced by the entity itself (self-generated). For example, direct fuel usage, purchased electricity, and heating, cooling, and steam energy are all included within the scope of energy consumption. TC-IM-130a.1. 1.1 The scope of energy consumption includes only energy directly consumed by the entity during the reporting period. TC-IM-130a.1. 1.2 The renewable portion of the electricity grid mix that is outside of the control or influence of the entity is excluded from the scope of renewable energy. TC-IM-130a.1. 3.3.3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Audits and risk management | Process or Activity | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Audits and risk management | Establish/Maintain Documentation | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Audits and risk management | Establish/Maintain Documentation | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Audits and risk management | Establish/Maintain Documentation | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Audits and risk management | Establish/Maintain Documentation | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in incident type in the disclosure report. CC ID 15510 [The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. TC-IM-230a.2. 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Audits and risk management | Establish/Maintain Documentation | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Audits and risk management | Establish/Maintain Documentation | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Audits and risk management | Establish/Maintain Documentation | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Audits and risk management | Establish/Maintain Documentation | |
| Include water quality standards in the disclosure report. CC ID 15756 | Audits and risk management | Establish/Maintain Documentation | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 [The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. TC-IM-230a.1. 2.2] | Audits and risk management | Establish/Maintain Documentation | |
| Include recycling in the disclosure report. CC ID 15579 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Audits and risk management | Establish/Maintain Documentation | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Audits and risk management | Establish/Maintain Documentation | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Audits and risk management | Establish/Maintain Documentation | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Audits and risk management | Establish/Maintain Documentation | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 [{disclose}{monetary loss} The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). TC-IM-220a.3. 3 {disclose}{monetary loss} The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). TC-IM-520a.1. 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 [{first-party advertising} The scope of disclosure includes both first- and third-party advertising. TC-IM-220a.1. 5] | Audits and risk management | Establish/Maintain Documentation | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Audits and risk management | Establish/Maintain Documentation | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Audits and risk management | Establish/Maintain Documentation | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 [The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. TC-IM-230a.1. 2.2] | Audits and risk management | Establish/Maintain Documentation | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 [The scope of disclosure is limited to data breaches that resulted in a deviation from the entity's expected outcomes for confidentiality and/or integrity. TC-IM-230a.1. 1.2] | Audits and risk management | Establish/Maintain Documentation | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 [The scope of disclosure is limited to breaches in which users were notified of the breach, either as required by law or voluntarily by the entity. TC-IM-230a.1. 2.3] | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Audits and risk management | Establish/Maintain Documentation | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 [{legal fee} The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its ss="term_primary-noun">defense. TC-IM-220a.3. 4 {legal fee} The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its ss="term_primary-noun">defense. TC-IM-520a.1. 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 [The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1 The entity shall describe the extent of monitoring, blocking, content filtering, or censorship across its product or service lines, including the specific products affected, nature and duration of impact, and percent of customers affected. Note to TC-IM-220a.5 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Audits and risk management | Establish/Maintain Documentation | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Audits and risk management | Establish/Maintain Documentation | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's name in the disclosure report. CC ID 15668 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Audits and risk management | Establish/Maintain Documentation | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of material topics in the disclosure report. CC ID 15656 | Audits and risk management | Establish/Maintain Documentation | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Audits and risk management | Establish/Maintain Documentation | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 | Audits and risk management | Establish/Maintain Documentation | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 | Audits and risk management | Establish/Maintain Documentation | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact duration in the disclosure report. CC ID 16036 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including the same data in other required disclosures, as necessary. CC ID 15732 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks to the achievement of goals and targets in the disclosure report. CC ID 16166 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timelines for achieving goals and targets in the disclosure report. CC ID 16164 | Audits and risk management | Establish/Maintain Documentation | |
| Include the mechanisms for achieving goals and targets in the disclosure report. CC ID 16144 | Audits and risk management | Establish/Maintain Documentation | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for disclosures that do not reconcile with data reported in other required disclosures in the disclosure report. CC ID 16053 | Audits and risk management | Establish/Maintain Documentation | |
| Include historical information and future-oriented information in the disclosure report. CC ID 16336 | Audits and risk management | Establish/Maintain Documentation | |
| Include preventive actions in the disclosure report. CC ID 15796 | Audits and risk management | Establish/Maintain Documentation | |
| Include the methodology for reporting future-oriented information in the disclosure report. CC ID 16335 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reporting period in the disclosure report. CC ID 15661 | Audits and risk management | Establish/Maintain Documentation | |
| Include restatements of information from previous reporting periods and an explanation for their use in the disclosure report. CC ID 15827 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the disclosure report. CC ID 15846 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's location in the disclosure report. CC ID 16311 | Audits and risk management | Establish/Maintain Documentation | |
| Include how conflicts of interest in roles are handled in the disclosure report. CC ID 15848 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reporting structure in the disclosure report. CC ID 15845 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of whistleblowing mechanisms in the disclosure report. CC ID 16027 | Audits and risk management | Establish/Maintain Documentation | |
| Include the differences between the list of entities in financial reporting and in sustainability reporting in the disclosure report. CC ID 15874 | Audits and risk management | Establish/Maintain Documentation | |
| Include the governance structure in the disclosure report. CC ID 15840 | Audits and risk management | Establish/Maintain Documentation | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of significant fluctuations in the total number of contractors and outsource partners in the disclosure report. CC ID 15839 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of contractual relationships in the disclosure report. CC ID 15838 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of significant fluctuations in the total number of employees in the disclosure report. CC ID 15836 | Audits and risk management | Establish/Maintain Documentation | |
| Include research findings based on previous and current research methodologies in the disclosure report. CC ID 15630 [The entity may disclose results of other survey findings, such as the percentage of employees who are: proud of their work/where they work, inspired by their work/co-workers, and aligned with corporate strategy and goals. Note to TC-IM-330a.2 4 When the survey methodology has changed compared to previous reporting years, the entity shall indicate results based on both the old and new methods for the year in which the change is made. Note to TC-IM-330a.2 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the methodology used to report numbers in the disclosure report. CC ID 15841 | Audits and risk management | Establish/Maintain Documentation | |
| Include definitions of terms in the disclosure report. CC ID 15832 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of third party relationships in the disclosure report. CC ID 15830 | Audits and risk management | Establish/Maintain Documentation | |
| Include the type of work performed by contractors and outsource partners in the disclosure report. CC ID 15842 | Audits and risk management | Establish/Maintain Documentation | |
| Include any changes made to information in restatements in the disclosure report. CC ID 15829 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria for determining when to use restatements in the disclosure report. CC ID 15828 | Audits and risk management | Establish/Maintain Documentation | |
| Include points of contact in the disclosure report. CC ID 15826 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reason that reporting periods for different reports do not align in the disclosure report. CC ID 15825 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how information is consolidated in the disclosure report. CC ID 15824 | Audits and risk management | Establish/Maintain Documentation | |
| Include the legal form of organization in the disclosure report. CC ID 15823 | Audits and risk management | Establish/Maintain Documentation | |
| Include the ownership structure in the disclosure report. CC ID 15822 | Audits and risk management | Establish/Maintain Documentation | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to collect and monitor in scope information in the disclosure report. CC ID 15779 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including out of scope information in the disclosure report. CC ID 15793 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to assess third party compliance in the disclosure report. CC ID 15773 | Audits and risk management | Establish/Maintain Documentation | |
| Include the calculation methodology in the disclosure report. CC ID 15733 [{employee engagement}The entity shall briefly describe: The methodology used to calculate the mary-noun">percentage Note to TC-IM-330a.2 1.2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the rationale for choosing the calculation methodology in the disclosure report. CC ID 15734 | Audits and risk management | Establish/Maintain Documentation | |
| Include the effects of changes to calculation methodologies in the disclosure report. CC ID 16344 | Audits and risk management | Establish/Maintain Documentation | |
| Include the source of conversion factors in the disclosure report. CC ID 15747 | Audits and risk management | Establish/Maintain Documentation | |
| Include known limitations in the disclosure report. CC ID 15669 | Audits and risk management | Establish/Maintain Documentation | |
| Include the lessons learned in the disclosure report. CC ID 15689 | Audits and risk management | Establish/Maintain Documentation | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether training requirements apply to third parties in the disclosure report. CC ID 15727 | Audits and risk management | Establish/Maintain Documentation | |
| Include a link to the content index in the disclosure report. CC ID 15666 | Audits and risk management | Establish/Maintain Documentation | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 | Audits and risk management | Establish/Maintain Documentation | |
| Include supplemental disclosures in the disclosure report. CC ID 15629 [{gender representation}{racial group representation} The entity may provide> nd-color:#F0BBBC;" class="term_primary-noun">supplemental disclosures on gender and/or racial/ethnic group representation by country or region. TC-IM-330a.3. 7 {gender representation}{racial group representation} The entity may provide supplemental contextual disclosures on factors that significantly erm_secondary-verb">influence gender and/or racial/ethnic group representation, such as the country or region where employees are located. TC-IM-330a.3. 8] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Categorize the gender of all employees. CC ID 15609 [{not be available} The entity shall categorize the gender of its le="background-color:#F0BBBC;" class="term_primary-noun">employees as female, male, or ary-verb">not disclosed/available. TC-IM-330a.3. 5] | Human Resources management | Human Resources Management | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 [{racial group}{external requirement}{not be available} The entity shall categorize the racial/ethnic group of its U.S. employees in accordance with the EEO-1 Survey Instruction Booklet and use the following categories: Asian, Black or African American, Hispanic or Latino, White, Other (which includes Native American or Alaska Native, Native Hawaiian or Pacific Islander, and "Two or More Races" classifications), or not disclosed/available. TC-IM-330a.3. 6 {racial group}{external requirement}{not be available} The entity shall categorize the racial/ethnic group of its U.S. employees in accordance with the EEO-1 Survey Instruction Booklet and e="background-color:#B7D8ED;" class="term_primary-verb">use the following mary-noun">categories: Asian, Black or African American, Hispanic or Latino, White, Other (which includes Native American or Alaska Native, Native Hawaiian or Pacific Islander, and "Two or More Races" classifications), or not disclosed/available. TC-IM-330a.3. 6] | Human Resources management | Human Resources Management | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [{external requirement}{job description} For U.S. employees, the entity shall categorize the employeesan> in accordance with the Equal Employment Opportunity Commission's Employer Information EEO-1 report (EEO-1 Survey) Instruction Booklet, where each employee category for disclosure is class="term_secondary-verb">defined by corresponding job categories and descriptions in the Instruction Booklet: TC-IM-330a.3. 3 {external requirement} For non-U.S. employees, the entity shall categorize the employees in a manner generally consistent with the definitions provided above, though ="background-color:#CBD0E5;" class="term_secondary-verb">in accordance with, and further facilitated by, any applicable local regulations, guidance, or generally accepted definitions. TC-IM-330a.3. 4] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources management | Human Resources Management | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Establish/Maintain Documentation | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Communicate | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Establish/Maintain Documentation | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources management | Human Resources Management | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Human Resources Management | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Human Resources management | Behavior | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources management | Human Resources Management | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Establish/Maintain Documentation | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Human Resources Management | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Human Resources Management | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Human Resources Management | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Human Resources Management | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Human Resources Management | |
| Approve the wording of job applications. CC ID 16182 | Human Resources management | Human Resources Management | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Human Resources Management | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Human Resources Management | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Conduct personal data processing training. CC ID 13757 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Education: participation in educational efforts for consumers about behavioral online advertising TC-IM-220a.1. 6.1] | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Create an incident response report following an incident response. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [The entity shall describe the corrective actions taken in response to specific incidents, such as changes in operations, management, processes, products, business partners, training, or technology. Note to TC-IM-230a.1 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 [The entity should disclose its policy for disclosing data breaches to affected users in a timely manner. Note to TC-IM-230a.1 3] | Operational management | Communicate | |
| Conduct official proceedings, as necessary. CC ID 13836 | Operational management | Human Resources Management | |
| Establish, implement, and maintain an environmental management system. CC ID 14945 | Operational management | Business Processes | |
| Include risks and opportunities in the environmental management system. CC ID 15201 [{level}{be higher} The entity shall analyze all of its operations for water risks and identify activities that withdraw and consume water in locations with High (40–80 percent) or Extremely High (>80 percent) Baseline Water Stress as classified by the World Resources Institute's (WRI) Water Risk Atlas tool, Aqueduct. TC-IM-130a.2. 4 {level}{be higher} The entity shall analyze all of its operations for water risks and identify activities that withdraw and consume water in background-color:#F0BBBC;" class="term_primary-noun">locations with High (40–80 percent) or Extremely High (>80 percent) Baseline Water Stress as classified by the World Resources Institute's (WRI) Water Risk Atlas tool, Aqueduct. TC-IM-130a.2. 4] | Operational management | Establish/Maintain Documentation | |
| Include the organization's significant environmental aspects in the environmental management system. CC ID 15176 [{integration}{environmental considerations} Discussion shall include, but is not limited to, how environmental factors impact the entity's decisions regarding the siting, design, construction, refurbishment, and operations of e="background-color:#F0BBBC;" class="term_primary-noun">data centers. TC-IM-130a.3. 2] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an environmental policy. CC ID 14947 | Operational management | Establish/Maintain Documentation | |
| Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974 [The entity shall describe its approach to the integration of environmental considerations, including energy and water use, into strategic planning for data centers. TC-IM-130a.3. 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{information lifecycle} The entity shall describe the information "lifecycle" (i.e., collection, usage, retention, processing, disclosure, and destruction of information) and how information-handling practices at each stage may affect individuals' privacy. TC-IM-220a.1. 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Transparency: clearly disclosing ary-noun">information about data collection and color:#F0BBBC;" class="term_primary-noun">data use practices TC-IM-220a.1. 6.2] | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include contact information in the privacy notice. CC ID 14432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify the time frame that notice will be given. CC ID 00385 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Privacy protection for information and data | Communicate | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Privacy protection for information and data | Communicate | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Update privacy notices, as necessary. CC ID 13474 | Privacy protection for information and data | Communicate | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Privacy protection for information and data | Communicate | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Communicate | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Privacy protection for information and data | Communicate | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Communicate | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Communicate | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Privacy protection for information and data | Communicate | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Privacy protection for information and data | Communicate | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Privacy protection for information and data | Communicate | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Data and Information Management | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Privacy protection for information and data | Communicate | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Communicate | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about their privacy rights. CC ID 12989 | Privacy protection for information and data | Communicate | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Data and Information Management | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Communicate | |
| Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Privacy protection for information and data | Behavior | |
| Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Establish Roles | |
| Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Process or Activity | |
| Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Data and Information Management | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Data and Information Management | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Technical Security | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Records Management | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Records Management | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Data and Information Management | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Records Management | |
| Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Records Management | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Communicate | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Data and Information Management | |
| Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Data and Information Management | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Communicate | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Data and Information Management | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Communicate | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Communicate | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Data and Information Management | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Communicate | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Process or Activity | |
| Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Technical Security | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy, with a specific focus on how it addresses the collection, usage, and retention of user information. TC-IM-220a.1. 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Privacy protection for information and data | Behavior | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is included in the privacy policy. CC ID 00404 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a complaint form in the privacy policy. CC ID 12364 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Process or Activity | |
| Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Business Processes | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Communicate | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Communicate | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Consumer control: allowing users to choose whether data is collected or transferred to | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Privacy protection for information and data | Human Resources Management | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Business Processes | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Business Processes | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Business Processes | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Privacy protection for information and data | Data and Information Management | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Data and Information Management | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Business Processes | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Process or Activity | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Business Processes | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Communicate | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Records Management | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Data and Information Management | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Data and Information Management | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Accountability: le="background-color:#F0BBBC;" class="term_primary-noun">participation in self-regulatory organizations such as the Direct Marketing Association TC-IM-220a.1. 6.7] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Human Resources Management | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Human Resources Management | |
| Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Data and Information Management | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Human Resources Management | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Human Resources Management | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Data and Information Management | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Behavior | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Behavior | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Material changes: obtaining oun">consent before applying changes to rimary-noun">policies that are less restrictive than existing ones TC-IM-220a.1. 6.5] | Privacy protection for information and data | Behavior | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5 The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 [The entity may describe its policy for determining whether to comply with a request for user data, including under what conditions it will release user data, what requirements must be met in the request, and the level of management approval required. TC-IM-220a.4. 5] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 [{disclosure}{user data} The entity may describe its policy for notifying users about such "term_primary-noun">requests>, including the timing of notification. TC-IM-220a.4. 6] | Privacy protection for information and data | Behavior | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Data and Information Management | |
| Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Communicate | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Privacy protection for information and data | Behavior | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Records Management | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Process or Activity | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Business Processes | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Process or Activity | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Records Management | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Records Management | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Records Management | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Records Management | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Records Management | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Records Management | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Records Management | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Records Management | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Records Management | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Records Management | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Records Management | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Records Management | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Records Management | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Records Management | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Records Management | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Establish Roles | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Data and Information Management | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Privacy protection for information and data | Data and Information Management | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Business Processes | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Process or Activity | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Privacy protection for information and data | Behavior | |
| Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Privacy protection for information and data | Records Management | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Privacy protection for information and data | Data and Information Management | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Privacy protection for information and data | Communicate | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Data and Information Management | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Data and Information Management | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Communicate | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Records Management | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Business Processes | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Data and Information Management | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Data and Information Management | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Data and Information Management | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Data and Information Management | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Data and Information Management | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Data and Information Management | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Data and Information Management | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Data and Information Management | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Behavior | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Data and Information Management | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Data and Information Management | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Data and Information Management | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Data and Information Management | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Data and Information Management | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Data and Information Management | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Data and Information Management | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Data and Information Management | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Data and Information Management | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Data and Information Management | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Data and Information Management | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Data and Information Management | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Data and Information Management | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Data and Information Management | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Data and Information Management | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Data and Information Management | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Data and Information Management | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Technical Security | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Behavior | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Data and Information Management | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Data and Information Management | |
| Give special attention to collecting children's data. CC ID 00038 [{privacy regulation} The entity shall discuss how its policies and practices related to privacy of user information address E5;" class="term_secondary-verb">>children's privacy, which at a minimum includes the provisions of the U.S. Children's Online Privacy Protection Act (COPPA). TC-IM-220a.1. 4 With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: C;" class="term_primary-noun">Sensitive data: abiding by un">COPPA, and handling user data such as financial information, Social Security numbers, and medical information TC-IM-220a.1. 6.6] | Privacy protection for information and data | Data and Information Management | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Data and Information Management | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Data and Information Management | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Data and Information Management | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Technical Security | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Data and Information Management | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Data and Information Management | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Communicate | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: Data security: providing basic security provisions and having clear policies relating to retentolor:#CBD0E5;" class="term_secondary-verb">ion> of lor:#F0BBBC;" class="term_primary-noun">user information TC-IM-220a.1. 6.4] | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Data and Information Management | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [{information lifecycle} The entity shall describe the information "lifecycle" (i.e., collection, usage, retention, processing, disclosure, and destruction of information) and how information-handling practices at each stage may affect individuals' noun">privacy. TC-IM-220a.1. 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Privacy protection for information and data | Data and Information Management | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Privacy protection for information and data | Business Processes | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Privacy protection for information and data | Behavior | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Communicate | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Privacy protection for information and data | Data and Information Management | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Data and Information Management | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Data and Information Management | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Data and Information Management | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Data and Information Management | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Data and Information Management | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Records Management | |
| Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Behavior | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Data and Information Management | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Data and Information Management | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Business Processes | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Communicate | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Privacy protection for information and data | Data and Information Management | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Process or Activity | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Process or Activity | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Process or Activity | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [{external requirement} The entity shall discuss the degree to which its policies and practices address similar issues as those outlined in the U.S. Office of Management and Budget's "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessments (PIAs). TC-IM-220a.1. 3] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities ass="term_primary-noun">individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), y-verb">including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the class="term_primary-noun">information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide imary-noun">information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 [{reason}{procedure} As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. TC-IM-220a.1. 3.2] | Privacy protection for information and data | Business Processes | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Communicate | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Behavior | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Business Processes | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Data and Information Management | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Configuration | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Human Resources Management | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Data and Information Management | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Data and Information Management | |
| Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Communicate | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Privacy protection for information and data | Behavior | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Behavior | |
| Define the organization's liability based on the applicable law. CC ID 00504 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Communicate | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Communicate | |
| Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 [With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: BBC;" class="term_primary-noun">Sensitive data: abiding by COPPA, and handling user data such as financial information, Social Security numbers, and medical information TC-IM-220a.1. 6.6] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a customer due diligence program. CC ID 13618 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include ongoing monitoring in the customer due diligence program. CC ID 16629 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Retain records of the measures taken during customer due diligence. CC ID 16605 | Privacy protection for information and data | Data and Information Management | |
| Analyze the appropriateness of the customer due diligence program, as necessary. CC ID 13621 | Privacy protection for information and data | Investigate | |
| Define and assign the data controller's data quality roles and responsibilities. CC ID 00085 | Privacy protection for information and data | Establish Roles | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Data and Information Management | |
| Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Data and Information Management | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Data and Information Management | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Data and Information Management | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Data and Information Management | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Data and Information Management | |
| Check that restricted data is complete. CC ID 00090 | Privacy protection for information and data | Data and Information Management | |
| Keep restricted data up-to-date and valid. CC ID 00091 | Privacy protection for information and data | Data and Information Management | |
| Maintain restricted data in a form that does not permit the identification of data subjects for longer than the processing purpose. CC ID 00092 | Privacy protection for information and data | Data and Information Management | |