Prepared by Keith P. Enright, Esq.
Chief Privacy Officer
Lucira Technologies, Inc.
326 A Street, Suite 1A
Boston, MA 02210
The following checklist is
intended to provide general guidance for organizations interested in
assessing their information handling practices. Specifically, this document will help you assess your current
level of privacy-related exposure, from both a legal and a public relations
perspective. This document is set up
in a checklist and outline format.
Though the checklist can be used as a working document in conducting a
specific assessment, I recommend that it be used as a guideline from which
you draft your own assessment checklist, ensuring that you address any unique
areas of concern or idiosyncratic data handling practices affecting your
organization. This document does not go into detail regarding specific
statutory or regulatory compliance requirements.
This document outlines a
process, rather than a one-time solution, and it is important to keep the
following caveats in mind:
- Context is extremely relevant when assessing
privacy exposure. Certain
industries, (i.e., medical service providers, financial service
providers, and providers of services to children) must account for
special statutory and regulatory compliance requirements. This document attempts to highlight
the existence of these requirements, whenever applicable, but does not
provide an adequate compliance strategy.
- This assessment should be conducted periodically,
to ensure that you have a current, accurate understanding of your
organization’s data flows, information handling practices, and privacy
- Satisfactory completion of this analysis
requires considerable access to the practices and procedures of various
functional areas of any organization.
Ensure that such access has been secured, and that adequate
resources will be available for a thorough, detailed assessment. AN INCOMPLETE OR IMPROPERLY CONDUCTED
ASSESSMENT CREATES, RATHER THAN LIMITS EXPOSURE, AS IT CAN CREATE A
FALSE SENSE OF SECURITY AND MAY LEAD TO THE PROMULGATION OF POLICIES
WHICH ARE NOT CONSISTENT WITH ACTUAL PRACTICES.
- Finally, the results of this assessment must
not be ignored. Closure of the
initial assessment does NOT bring closure to the issue of
- First, establish context:
the statutory/regulatory climate(s) affecting your organization.
for industry/trade organization affiliations: are there any
self-regulatory initiatives with which your policies and practices must
the media climate: are there certain practices on which you should focus
during your assessment? (i.e., cookie use, web-bug use, or other media
- Conducting a privacy risk assessment:
process will aggregate the data necessary for informed policy and
procedure formation and revision.
an internal privacy task force or working group, including members of
legal, government relations, IT/IS, sales, public relations/marketing
communications and other relevant groups within the organization.
is critical that the project leader (presumably the CPO/Privacy manager)
obtain senior management buy-in early in the process, as their
cooperation will be critical in successful advancement of the initiative.
then should the team begin a review of company collection, maintenance,
security, use, disclosure to third parties, and prospective strategies.
- Classify information into general categories:
subject to specific statutory/regulatory requirements
collected from children under the age of 13.
requirements domestically and abroad, in all relevant jurisdictions.
- Mapping data flows
- One of the products of this assessment will be
a “Data Map”, providing detailed information about how information is
being received, utilized, managed, and passed on by your
organization. In conducting this
assessment, you should answer the following questions.
information is moving intra-departmentally or intra-personally within
information is moving from your organization to third parties?
information is your organization receiving from third parties?
relevant information is moving across state/national boundaries?
- The answers to these questions will determine
your level of privacy-related exposure, and should inform your
organizational privacy strategy.
Responses to many of the following questions will be
further articulated through the auditing and assessment process. The following high-level questions provide
a broad overview of the relevant issues.
- Who can collect information?
classes of information to rights of access.
- Under what circumstances is information within a
specific class collected?
- With whose consent is information within a
specific class collected?
- How is each class of data being used?
- How is each class of information stored?
there different storage strategies in place for different classes of
is it cross-referenced?
- What uses are permitted with respect to each
class of information?
long is each class of information retained?
- Is your
organization in compliance with all relevant statutory/regulatory
requirements for storage of specific classes of information?
- When is information belonging to each class
destroyed, and who is accountable for its destruction?
- How is the accuracy of collected information
access mechanisms are in place, allowing the subject to alter/update
inaccurate or obsolete information?
- To whom, under what circumstances, and in what
manner may information belonging to each class be disclosed?
- Specify whether specific categories of
information collected by your site are optional, and assess whether
optional nature is clearly indicated.
information is collected without a user’s explicit knowledge and/or consent?
- Log Files
information is automatically logged and/or not explicitly consented to by
include IP addresses, browser type, date/time of access, etc.
what purposes are these classes of information used?
benefits does the user enjoy by enabling cookies?
are the consequences to a user who disables cookies?
is website functionality limited, is the user completely denied access,
you allow other companies (advertisers, etc.) to deliver cookies to your
users via your web site? (i.e.,
through banner ads)
- Partners, Third parties, etc.
your organization’s relationships, including business partners, strategic
partners, co-branded sites, third party vendors, etc, which might involve
the transfer of personal information.
the names of relevant organizations, and clearly articulate the details
of the relationships as they affect data flows.
- Users should know whether or not they should
expect additional communications from your organization, including e-mail,
telephone calls, and/or postal mail.
Users should be informed as to whether they can opt out of these types
- What, if any, communications will occur
between the website and the user?
- What method(s) of communication will be used?
q Postal mail
q Telephone call
q Other (specify)
- How frequently will the communication take
- Under what circumstances will such
communications take place?
- Does your web site/organization share, transfer,
or release any information to third parties?
inquiry includes subsidiaries, partners, contractors, VARs, etc.
whom, if anyone, is the information being shared, transferred, or
specific information, if any, is being shared, transferred, or released?
- Does your website contain links to other
define the nature of the relationship between your organization and other
is often helpful to maintain a list of links to the posted privacy
policies of all relevant third parties.
Be sure to verify the status of these policies periodically,
accounting for substantive changes as necessary.
- Does your organization supplement the
information received directly from a user with additional information
received from third parties, or information received by mechanisms other
than those to which the user has explicitly consented?
Opt-in or Opt-out
- What choices are available to the user regarding
control of collection, use and distribution of personal information?
- If applicable, how is the request made to
opt-out of having the information used for purposes unrelated to the
purposes for which the information was collected?
q Via E-mail
q “reply” to unsubscribe
q Via telephone
q Via postal mail
q Site/Organization does not offer “Opt out”
access to personally identifiable and/or sensitive data accountable to
specific individuals to maintain control over access and preserve
accountability for misuse?
whether certain groups or individuals are granted general access to data
within your organization.
access to data granted to parties outside of your organization? (incl.
Business partners, subsidiaries, etc.)
so, what measures have been taken to limit unauthorized access?
do you verify the identity of the persons/parties accessing the data?
password methodology/standards (measures taken to ensure password
there additional authentication requirements instead of, or in addition
to, password security for access (biometrics, etc)?
mechanisms are in place to ensure security/confidentiality of
customer/user information during transmission over public communication
lines and within your organization?
inquiries into security require auditing/assessment procedures beyond the
scope of this document.
sensitive information (for example, credit card information)
differentiated from less sensitive information?
sensitive information restricted?
restrictions have been implemented?
does your organization control access to data?
Non-Disclosure/Confidentiality Agreements been executed with contractors
and third parties, restricting/controlling access to/use of sensitive
access to data limited to authorized personnel only?
so, which person(s) are authorized to access specific classes of
access to sensitive data revoked in a timely manner from employees that
change job functions or leave the organization?
third-party agreements exist to allow access to data, what mechanisms
have been implemented to notify the responsible official (i.e., the
Security Administrator) when the agreement is modified or terminated?
Integrity Assurance Mechanisms
- What restrictions are in place to control
merging of sensitive data with unprotected data?
- Is there a mechanism in place to allow users
access to their information in order to verify that the data is accurate
and has not been modified or corrupted?
How are users able to
access and correct any inaccuracies in the information submitted?
q Via email
q Via telephone
q Via postal mail
what information does your organization allow users to access, modify,
verification mechanisms are in place to verify the identity of users
wishing to access/correct their personal information?
will the user be informed if there is a change in the use of personally
- Based on the information ascertained above,
Notice, Choice, Access, and Security.
without sacrificing accuracy.
phrased in such a way that it is easy to understand by your users?
- Are any areas of your site directed at children
under the age of 13?
YES, then you must go on to assess compliance with the requirements of
the Children’s Online Privacy Protection Act.
this requires “verifiable parental consent” before collecting personally
identifiable information or before granting access to chat rooms, etc.
where they might disclose personally identifiable information.
- Make sure your policy is easy to understand, and
make sure it is easy to locate from any location on your website.
including two or more documents.
Tier 1 – Very simple, broad overview of
organization’s privacy position and general disclosure of whether information
will be disclosed to third parties, etc.
This policy should address the concerns of the typical consumer visiting
the site, and should be clear, concise, and accessible.
Tier 2 – More precise detail, detailing
what information is collected by server logs, specifying cookie uses, pointing
to privacy policies of partners, affiliates, and other relevant third
parties. Clarity and brevity are still
important here, but more detail should be provided to address the concerns of
sophisticated and concerned visitors.
Tier 3 – (Especially useful where
specific statutory compliance is required.)
Specifically address each statutory requirement, and explain how your
organization deals with each in turn.
Provide sufficient information to clearly assess the rights and
responsibilities existing between customers and your organization with respect
to privacy and information handling.
Specific policies (at each respective tier) can be drafted
to cover discrete products and services, as necessary.
- Educate employees regarding your privacy
policy. Employees should know how
your company responds to privacy concerns.
- Update your policy regularly, making sure that
it remains an accurate description of your business’s practices.
- In addition to the information above, the
following checklist may assist in determining which granular data points
are being collected. In tightening
organizational privacy practices, a good first step is to question the
business necessity of each data point being targeted, and to collect only
that data which is of compelling business importance.
- Data being collected:
- (Supplement this checklist as necessary)
q E-mail address
q Mailing Address
q Phone Number
q Facsimile Number
q Name of banking institution
q Credit Card number
q Account Number
q Routing number
q Account balance
q Social Security Identifier
q Driver’s License Number
q Proprietary global unique identifier (GUID)
q Marital Status
q Medical History
q Health Status/Present Conditions
q Health Insurance Provider
q Employment Status
q Business Contact info.
q School(s) attended
q Degrees conferred
q Dates of attendance
q Transcript/Grade information
q Other (Specify)______________________________________
q Criminal Record
q Number of Children
q Number of Siblings
q Information regarding spouse/partner
q Mother’s maiden name
q Information regarding parents
q Years at current address
q Dialogue/Interaction (chat rooms, e-mail, bulletin
board postings, etc.)
By what means is this
information being collected?
q Registration Forms
q Order Forms
q News Groups
q Feedback Forms
q Contact Us
q Electronic mail
q Request Forms
q Chat Rooms
q Bulletin Boards