Overview:
The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.
Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Create a user account inventory for each in-scope application
3) Inspect the public facing Internet site to determine that the privacy notice is available for individuals to view on the public facing Internet site.
4) Inspect the privacy notice to determine that the privacy notice includes how individuals access and modify personal information.
5) Inspect the user account listings and minimum password requirements for the production application(s) to determine that they are configured to authenticate users with a unique account and enforce minimum password requirements as defined in the entity's access control policy, or equivalent.
6) Inspect the application configurations to determine that applications are configured to allow end-users the ability to access the following information: Name; E-mail; Nickname; Provider; Default Account; Account settings, as applicable to the entity.
7) Inspect the company website and the customer portal to determine that a contact e-mail address, phone number, and a customer portal are available for customers to submit security related tickets, report security incidents, concerns, and complaints and that reports of concerns are reviewed by the information security team as they appeared in the inbox.
Related Documents:
1) Public-facing internet site and evidence of a privacy notice
2) Privacy notice
3) User account listing
4) Password configurations for in-scope systems
5) Application configurations for in-scope applications
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Authenticates Data Subjects' Identity—The identity of data subjects who request access to their personal information is authenticated before they are given access to that information.
2) Permits Data Subjects Access to Their Personal Information—Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information.
3) Provides Understandable Personal Information Within Reasonable Time—Personal information is provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost, if any.
4) Informs Data Subjects If Access Is Denied—When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation.
Article ID: 266
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-granting-access-to-personal-information-p5-1-266.html