|
The last principle of the Generally Accepted Privacy Principles (GAPP), Monitoring and Enforcement, requires that the entity monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes.
This fair information practice acknowledges that an entity should be responsible for the protection of personal information. Specifically, the criteria outlined in GAPP indicate that an entity should do the following:
· Design privacy policies that address the monitoring and enforcement of privacy policies and procedures (see Criterion 10.1.0).
· Communicate to individuals how to contact the entity with complaints (see Criterion 10.1.1).
· Design procedures and controls to ensure that a process is in place to address complaints (see Criterion 10.2.1).
· Design procedures and controls to ensure that every complaint is addressed and the resolution is documented and communicated to the individual (see Criterion 10.2.2).
· Design procedures and controls to ensure that compliance with privacy policies and procedures, commitments, applicable laws, regulations, service-level agreements, and other contracts is reviewed and documented and the results of such reviews are reported to management. If problems are identified, the entity's privacy policies and procedures are enforced (see Criterion 10.2.3).
· Design procedures and controls to ensure that instances of noncompliance with privacy policies and procedures are documented and reported and, if needed, corrective measures are taken on a timely basis (see Criterion 10.2.4).
This fair information practice also acknowledges the right of individuals to challenge an entity's compliance with stated privacy policies and procedures. In this regard, an entity is obliged to provide the means by which an individual can exercise that right. This includes explaining the entity's procedures and the various avenues of recourse available to the individual.
Accordingly, it is important that the privacy officer develop easily accessible complaint procedures and inform complainants of avenues of recourse, including those of industry associations and regulatory bodies. To meet these responsibilities, the privacy officer (or a designated employee) should investigate all complaints received, taking care to record the date a complaint is received and the nature of the complaint, and to acknowledge receipt of the complaint promptly. If necessary, the individual should be contacted to clarify the complaint.
Normally, entities assign the investigation to a person with the skills necessary to conduct it fairly and impartially. The investigator should be given access to all relevant records, and employees or others who handled the personal information or access request. The investigator should notify the individual of the outcome of the investigation, explaining any relevant steps taken. Any inaccurate personal information should be corrected and/or policies and procedures should be modified based on the outcome of the investigation.
Examples of related risks: Individuals may make inquiries or lodge complaints related to personal information matters, such as delays in responding to a request, incomplete or inaccurate responses, improper collection or use, and improper disclosure or retention of that information. If an entity does not have an effective process for dealing with such inquiries and complaints, individuals will not be able to assess how well their personal information is managed. This could destroy customer confidence, resulting in customer dissatisfaction and lost business.
Download the Monitoring and Enforcement Principle criteria table
|