Privacy Audit Checklist

Prepared by Keith P. Enright, Esq.

Chief Privacy Officer

Lucira Technologies, Inc.

326 A Street, Suite 1A

Boston, MA 02210

617.423.4111

keith@lucira.com

 

The following checklist is intended to provide general guidance for organizations interested in assessing their information handling practices.  Specifically, this document will help you assess your current level of privacy-related exposure, from both a legal and a public relations perspective.  This document is set up in a checklist and outline format.  Though the checklist can be used as a working document in conducting a specific assessment, I recommend that it be used as a guideline from which you draft your own assessment checklist, ensuring that you address any unique areas of concern or idiosyncratic data handling practices affecting your organization. This document does not go into detail regarding specific statutory or regulatory compliance requirements.   This document outlines a process, rather than a one-time solution, and it is important to keep the following caveats in mind: Context is extremely relevant when assessing privacy exposure.  Certain industries, (i.e., medical service providers, financial service providers, and providers of services to children) must account for special statutory and regulatory compliance requirements.  This document attempts to highlight the existence of these requirements, whenever applicable, but does not provide an adequate compliance strategy.  This assessment should be conducted periodically, to ensure that you have a current, accurate understanding of your organization’s data flows, information handling practices, and privacy positioning. Satisfactory completion of this analysis requires considerable access to the practices and procedures of various functional areas of any organization.  Ensure that such access has been secured, and that adequate resources will be available for a thorough, detailed assessment.  AN INCOMPLETE OR IMPROPERLY CONDUCTED ASSESSMENT CREATES, RATHER THAN LIMITS EXPOSURE, AS IT CAN CREATE A FALSE SENSE OF SECURITY AND MAY LEAD TO THE PROMULGATION OF POLICIES WHICH ARE NOT CONSISTENT WITH ACTUAL PRACTICES. Finally, the results of this assessment must not be ignored.  Closure of the initial assessment does NOT bring closure to the issue of privacy-related exposure.

 

 

 

 

 

• First, establish context:
• Assess the statutory/regulatory climate(s) affecting your organization.
• Account for industry/trade organization affiliations: are there any self-regulatory initiatives with which your policies and practices must comport?
• Consider the media climate: are there certain practices on which you should focus during your assessment? (i.e., cookie use, web-bug use, or other media hot-button issues).
• Conducting a privacy risk assessment:
• This process will aggregate the data necessary for informed policy and procedure formation and revision.
• Establish an internal privacy task force or working group, including members of legal, government relations, IT/IS, sales, public relations/marketing communications and other relevant groups within the organization.
• It is critical that the project leader (presumably the CPO/Privacy manager) obtain senior management buy-in early in the process, as their cooperation will be critical in successful advancement of the initiative.
• Only then should the team begin a review of company collection, maintenance, security, use, disclosure to third parties, and prospective strategies.

 

• Classify information into general categories:
• Personally identifiable/non-personally identifiable
• Sensitive/non-sensitive
• Highly-sensitive
• Information subject to specific statutory/regulatory requirements
• Medical information
• Financial information
• Information collected from children under the age of 13.
• Assess requirements domestically and abroad, in all relevant jurisdictions.
• Mapping data flows
• One of the products of this assessment will be a “Data Map”, providing detailed information about how information is being received, utilized, managed, and passed on by your organization.  In conducting this assessment, you should answer the following questions.
• What information is moving intra-departmentally or intra-personally within your organization?
• What information is moving from your organization to third parties?
• What information is your organization receiving from third parties?
• What relevant information is moving across state/national boundaries?
• The answers to these questions will determine your level of privacy-related exposure, and should inform your organizational privacy strategy.

 

 

 

Additional Preliminary Questions

Responses to many of the following questions will be further articulated through the auditing and assessment process.  The following high-level questions provide a broad overview of the relevant issues.

 

• Who can collect information?
• Map classes of information to rights of access.

 

• Under what circumstances is information within a specific class collected?
• With whose consent is information within a specific class collected?
• How is each class of data being used?
• How is each class of information stored?
• Are there different storage strategies in place for different classes of data?
• How is it cross-referenced?
• What uses are permitted with respect to each class of information?
• How long is each class of information retained?
• Is your organization in compliance with all relevant statutory/regulatory requirements for storage of specific classes of information?
• When is information belonging to each class destroyed, and who is accountable for its destruction?
• How is the accuracy of collected information assured?
• What access mechanisms are in place, allowing the subject to alter/update inaccurate or obsolete information?
• To whom, under what circumstances, and in what manner may information belonging to each class be disclosed?
• Specify whether specific categories of information collected by your site are optional, and assess whether optional nature is clearly indicated.

 

What information is collected without a user’s explicit knowledge and/or consent?

 

• Log Files
• What information is automatically logged and/or not explicitly consented to by the user?
• Examples include IP addresses, browser type, date/time of access, etc.
• For what purposes are these classes of information used?
• Cookies
• If your web site uses cookies, for what purposes are they being used?
• Assess cookie file uses and clearly articulate details in privacy policy.
• What benefits does the user enjoy by enabling cookies?
• What are the consequences to a user who disables cookies?
• i.e., is website functionality limited, is the user completely denied access, etc.
• Do you allow other companies (advertisers, etc.) to deliver cookies to your users via your web site?  (i.e., through banner ads)
• Partners, Third parties, etc.
• Assess your organization’s relationships, including business partners, strategic partners, co-branded sites, third party vendors, etc, which might involve the transfer of personal information.
• List the names of relevant organizations, and clearly articulate the details of the relationships as they affect data flows.
• Users should know whether or not they should expect additional communications from your organization, including e-mail, telephone calls, and/or postal mail.  Users should be informed as to whether they can opt out of these types of communication.

 

What, if any, communications will occur between the website and the user? What method(s) of communication will be used? q       E-mail q       Postal mail q       Telephone call q       Fax q       Other (specify) How frequently will the communication take place? Under what circumstances will such communications take place?

 

Information Sharing

 

• Does your web site/organization share, transfer, or release any information to third parties?
• This inquiry includes subsidiaries, partners, contractors, VARs, etc.
• With whom, if anyone, is the information being shared, transferred, or released?
• What specific information, if any, is being shared, transferred, or released?
• Does your website contain links to other websites?
• Clearly define the nature of the relationship between your organization and other linked sites/pages in your privacy policy.
• It is often helpful to maintain a list of links to the posted privacy policies of all relevant third parties.  Be sure to verify the status of these policies periodically, accounting for substantive changes as necessary.
• Does your organization supplement the information received directly from a user with additional information received from third parties, or information received by mechanisms other than those to which the user has explicitly consented?

 

 

Choice: Opt-in or Opt-out

 

• What choices are available to the user regarding control of collection, use and distribution of personal information?
• If applicable, how is the request made to opt-out of having the information used for purposes unrelated to the purposes for which the information was collected?

q       Via E-mail

q       “reply” to unsubscribe

q       Via telephone

q       Via postal mail

q       Other

q       N/A

q       Site/Organization does not offer “Opt out”

 

Security

 

• Identification
• Is access to personally identifiable and/or sensitive data accountable to specific individuals to maintain control over access and preserve accountability for misuse?
• Specify whether certain groups or individuals are granted general access to data within your organization.
• Is access to data granted to parties outside of your organization? (incl. Business partners, subsidiaries, etc.)
• If so, what measures have been taken to limit unauthorized access?
• Authentication
• How do you verify the identity of the persons/parties accessing the data?
• Describe password methodology/standards (measures taken to ensure password security).
• Are there additional authentication requirements instead of, or in addition to, password security for access (biometrics, etc)?
• What mechanisms are in place to ensure security/confidentiality of customer/user information during transmission over public communication lines and within your organization?
• Additional inquiries into security require auditing/assessment procedures beyond the scope of this document.
• Authorization/Access
• Is sensitive information (for example, credit card information) differentiated from less sensitive information?
• Is sensitive information restricted?
• What restrictions have been implemented?
• How does your organization control access to data?
• Have Non-Disclosure/Confidentiality Agreements been executed with contractors and third parties, restricting/controlling access to/use of sensitive data?
• Is access to data limited to authorized personnel only?
• If so, which person(s) are authorized to access specific classes of information?
• Is access to sensitive data revoked in a timely manner from employees that change job functions or leave the organization?
• If third-party agreements exist to allow access to data, what mechanisms have been implemented to notify the responsible official (i.e., the Security Administrator) when the agreement is modified or terminated?

Data Integrity Assurance Mechanisms

 

• What restrictions are in place to control merging of sensitive data with unprotected data?
• Is there a mechanism in place to allow users access to their information in order to verify that the data is accurate and has not been modified or corrupted?

 

How are users able to access and correct any inaccuracies in the information submitted? q       Online q       Via email q       Via telephone q       Via postal mail q       Other q       N/A

 

• Specifically, what information does your organization allow users to access, modify, and correct?
• What verification mechanisms are in place to verify the identity of users wishing to access/correct their personal information?
• How will the user be informed if there is a change in the use of personally identifiable information?

 

Privacy Policy formation

 

• Based on the information ascertained above, draft a detailed Privacy Policy, specifically addressing the areas of Notice, Choice, Access, and Security.
• Keep your privacy policy as simple as possible, without sacrificing accuracy.
• Step back:  Is your privacy policy phrased in such a way that it is easy to understand by your users?
• Are any areas of your site directed at children under the age of 13?
• If YES, then you must go on to assess compliance with the requirements of the Children’s Online Privacy Protection Act.
• Generally, this requires “verifiable parental consent” before collecting personally identifiable information or before granting access to chat rooms, etc. where they might disclose personally identifiable information.

• Make sure your policy is easy to understand, and make sure it is easy to locate from any location on your website.

 

 

• Consider drafting a multi-tiered privacy policy, including two or more documents.

o        Tier 1 – Very simple, broad overview of organization’s privacy position and general disclosure of whether information will be disclosed to third parties, etc.  This policy should address the concerns of the typical consumer visiting the site, and should be clear, concise, and accessible.

o        Tier 2 – More precise detail, detailing what information is collected by server logs, specifying cookie uses, pointing to privacy policies of partners, affiliates, and other relevant third parties.  Clarity and brevity are still important here, but more detail should be provided to address the concerns of sophisticated and concerned visitors.

o        Tier 3 – (Especially useful where specific statutory compliance is required.)  Specifically address each statutory requirement, and explain how your organization deals with each in turn.  Provide sufficient information to clearly assess the rights and responsibilities existing between customers and your organization with respect to privacy and information handling. 

o       Specific policies (at each respective tier) can be drafted to cover discrete products and services, as necessary.

• Educate employees regarding your privacy policy.  Employees should know how your company responds to privacy concerns.
• Update your policy regularly, making sure that it remains an accurate description of your business’s practices.

 

 

Assessing Collection Practices

 

• In addition to the information above, the following checklist may assist in determining which granular data points are being collected.  In tightening organizational privacy practices, a good first step is to question the business necessity of each data point being targeted, and to collect only that data which is of compelling business importance.
• Data being collected:
• (Supplement this checklist as necessary)

 

CONTACT INFORMATION q       Name q       E-mail address q       Mailing Address q       Phone Number q       Facsimile Number q       Other (Specify)______________________________________

 

FINANCIAL/BILLING INFORMATION q       Name of banking institution q       Credit Card number q       Salary/Income q       Account Number q       Routing number q       Account balance q       Other (Specify)______________________________________

 

UNIQUE IDENTIFIERS q       Social Security Identifier q       Driver’s License Number q       Proprietary global unique identifier (GUID) q         q       Other (Specify)______________________________________

 

 

DEMOGRAPHIC INFORMATION q       Age q       Gender q       Ethnicity q       Marital Status q       Other (Specify)______________________________________

 

MEDICAL INFORMATION q       Medical History q       Health Status/Present Conditions q       Health Insurance Provider q       Other (Specify)______________________________________

 

EMPLOYMENT INFORMATION q       Employment Status q       Employer q       Title q       Business Contact info. q       (Specify)______________________________________

 

EDUCATION INFORMATION q       School(s) attended q       Degrees conferred q       Dates of attendance q       Transcript/Grade information q       Other (Specify)______________________________________

 

LEGAL INFORMATION q       Criminal Record q       Other (Specify)______________________________________

 

FAMILIAL INFORMATION q       Number of Children q       Number of Siblings q       Information regarding spouse/partner q       Mother’s maiden name q       Information regarding parents q       Years at current address q       (Specify)______________________________________

 

OTHER INFORMATION q       Hobbies q       Interests q       Dialogue/Interaction (chat rooms, e-mail, bulletin board postings, etc.) q       Other (Specify)______________________________________

 

 

By what means is this information being collected? q       Registration Forms q       Order Forms q       News Groups q       Feedback Forms q       Contact Us q       Forums q       Surveys q       Electronic mail q       Request Forms q       Chat Rooms q       Bulletin Boards q       Other (Specify)______________________________________