Overview:
Personal information is collected consistent with the entity’s objectives related to privacy.
Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Inspect the privacy notice to determine that the privacy notice includes the purpose for collecting personal information, the type of personal information collected, and describes the use of technologies for tracking.
3) Inspect the privacy notice to determine that the privacy notice includes the choices available to individuals and the consent to be obtained.
4) Inspect the end-user account creation process to determine that the application is configured to require participants to review and accept the privacy notice upon account creation for the application.
5) Observe the application enrollment process to determine that the application is configured to restrict input to the following information: Name; E-mail; Nickname; Provider; Default Account; Account settings, as applicable to the entity.
Related Documents:
1) Privacy notice
2) Privacy policy
3) Sample of customer agreements and signed terms and conditions
4) Evidence that users are required to accept the privacy notice upon account creation
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Limits the Collection of Personal Information—The collection o \personal information is limited to that necessary to meet the entity's objectives.
2) Collects Information by Fair and Lawful Means—Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information.
3) Collects Information From Reliable Sources—Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully.
4) Informs Data Subjects When Additional Information Is Acquired—Data subjects are informed if the entity develops or acquires additional information about them for its use.
Article ID: 261
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-collecting-personal-information-p3-1-261.html