Back

North America > Rhode Island General Assembly

Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)



AD ID

0003949

AD STATUS

Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

ORIGINATOR

Rhode Island General Assembly

TYPE

Statutes (Bills or Acts)

AVAILABILITY

Free

SYNONYMS

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-10-24T00:00:00-0700.

AD ID

0003949

AD STATUS

Free

ORIGINATOR

Rhode Island General Assembly

TYPE

Statutes (Bills or Acts)

AVAILABILITY

SYNONYMS

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-10-24T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
92 Mandated Controls - bold    
51 Implied Controls - italic     342 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
485 Total
  • Acquisition or sale of facilities, technology, and services
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition/Sale of Assets or Services Preventive
    Refrain from providing products and services, as necessary. CC ID 15580
    [{shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)]
    Acquisition/Sale of Assets or Services Preventive
  • Audits and risk management
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes: § 6-48.1-7.(e)
    {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 6-48.1-7.(g)
    {be similar} If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section. § 6-48.1-7.(h)]
    Process or Activity Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} The attorney general may require a controller to disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available. The attorney general may evaluate the data protection assessment for compliance with responsibilities of this chapter. Data protection assessments shall be confidential and shall be exempt from disclosure pursuant to chapter 2 of title 38 ("access to public records"). To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection. § 6-48.1-7.(f)]
    Communicate Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Establish/Maintain Documentation Preventive
  • Human Resources management
    26
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Define and assign the data controller's roles and responsibilities. CC ID 00471
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: § 6-48.1-3.(a)]
    Establish Roles Preventive
    Establish, implement, and maintain a legal support program. CC ID 13710
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for or defend legal claims; § 6-48.1-7.(o)(4)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Establish/Maintain Documentation Preventive
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Audits and Risk Management Detective
    Establish, implement, and maintain an ethics program. CC ID 11496
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Human Resources Management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Communicate Preventive
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Behavior Preventive
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Investigate Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781 Behavior Preventive
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Monitor and Evaluate Occurrences Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Monitor and Evaluate Occurrences Preventive
    Refrain from practicing false advertising. CC ID 14253 Business Processes Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Business Processes Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Communicate Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Establish/Maintain Documentation Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Behavior Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Behavior Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Business Processes Corrective
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Behavior Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Human Resources Management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources Management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources Management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Establish Roles Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Behavior Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Behavior Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Behavior Preventive
  • Leadership and high level objectives
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption. § 6-48.1-7.(t)]
    Establish/Maintain Documentation Preventive
  • Monitoring and measurement
    53
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain monitoring and logging operations. CC ID 00637 Log Management Detective
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Audits and Risk Management Preventive
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Establish/Maintain Documentation Preventive
    Implement a fraud detection system. CC ID 13081
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Establish, implement, and maintain a system security plan. CC ID 01922
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Testing Preventive
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include backup and recovery procedures in the system security plan. CC ID 17043 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)]
    Monitor and Evaluate Occurrences Detective
    Correct compliance violations. CC ID 13515
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)]
    Process or Activity Corrective
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
  • Operational management
    76
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(1)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Business Processes Preventive
    Establish, implement, and maintain an incident management policy. CC ID 16414 Establish/Maintain Documentation Preventive
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Communicate Preventive
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Establish/Maintain Documentation Preventive
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Establish/Maintain Documentation Preventive
    Include a definition of affected parties in the incident criteria. CC ID 17179 Establish/Maintain Documentation Preventive
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Business Processes Detective
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Establish/Maintain Documentation Preventive
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Process or Activity Detective
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Process or Activity Detective
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Process or Activity Detective
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Monitor and Evaluate Occurrences Detective
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Monitor and Evaluate Occurrences Detective
    Escalate incidents, as necessary. CC ID 14861 Monitor and Evaluate Occurrences Corrective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Process or Activity Corrective
    Wipe data and memory after an incident has been detected. CC ID 16850 Technical Security Corrective
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Establish/Maintain Documentation Preventive
    Include corrective actions in the forensic investigation report. CC ID 17070 Establish/Maintain Documentation Preventive
    Include the investigation results in the forensic investigation report. CC ID 17069 Establish/Maintain Documentation Preventive
    Redact restricted data before sharing incident information. CC ID 16994 Data and Information Management Preventive
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Communicate Preventive
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Communicate Preventive
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Establish/Maintain Documentation Preventive
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Communicate Preventive
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Communicate Preventive
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Establish/Maintain Documentation Preventive
    Submit written requests to delay the notification of affected parties. CC ID 16783 Communicate Preventive
    Revoke the written request to delay the notification. CC ID 16843 Process or Activity Preventive
    Establish, implement, and maintain incident response notifications. CC ID 12975 Establish/Maintain Documentation Corrective
    Refrain from charging for providing incident response notifications. CC ID 13876 Business Processes Preventive
    Refrain from including restricted information in the incident response notification. CC ID 16806 Actionable Reports or Measurements Preventive
    Include the affected parties rights in the incident response notification. CC ID 16811 Establish/Maintain Documentation Preventive
    Include the incident classification criteria in incident response notifications. CC ID 17293 Establish/Maintain Documentation Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Establish/Maintain Documentation Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Establish/Maintain Documentation Preventive
    Include the incident reference code in incident response notifications. CC ID 17292 Establish/Maintain Documentation Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Establish/Maintain Documentation Preventive
    Include activations of the business continuity plan in incident response notifications. CC ID 17295 Establish/Maintain Documentation Preventive
    Include costs associated with the incident in incident response notifications. CC ID 17300 Establish/Maintain Documentation Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Establish/Maintain Documentation Preventive
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Communicate Corrective
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Business Processes Corrective
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Communicate Preventive
    Post the incident response notification on the organization's website. CC ID 16809 Process or Activity Preventive
    Document the determination for providing a substitute incident response notification. CC ID 16841 Process or Activity Preventive
    Include contact information in the substitute incident response notification. CC ID 16776 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Communicate Corrective
    Establish, implement, and maintain a containment strategy. CC ID 13480 Establish/Maintain Documentation Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Establish/Maintain Documentation Preventive
    Include response times in the containment strategy. CC ID 13485 Establish/Maintain Documentation Preventive
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Data and Information Management Preventive
    Include a description of the restored data in the restoration log. CC ID 15462 Data and Information Management Preventive
    Test incident monitoring procedures. CC ID 13194 Testing Detective
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Establish/Maintain Documentation Preventive
    Conduct incident investigations, as necessary. CC ID 13826 Process or Activity Detective
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Investigate Detective
    Identify the affected parties during incident investigations. CC ID 16781 Investigate Detective
    Interview suspects during incident investigations, as necessary. CC ID 14041 Investigate Detective
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Investigate Detective
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Establish/Maintain Documentation Preventive
    Destroy investigative materials, as necessary. CC ID 17082 Data and Information Management Preventive
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Log Management Preventive
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Log Management Preventive
    Include corrective actions in the incident management audit log. CC ID 16466 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Establish/Maintain Documentation Detective
  • Privacy protection for information and data
    297
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Data and Information Management Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Establish/Maintain Documentation Preventive
    Include contact information in the privacy notice. CC ID 14432
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller. § 6-48.1-3.(a)(3)]
    Establish/Maintain Documentation Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Establish/Maintain Documentation Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Establish/Maintain Documentation Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and § 6-48.1-3.(a)(2)]
    Establish/Maintain Documentation Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all categories of personal data that the controller collects through the website or online service about customers; § 6-48.1-3.(a)(1)]
    Establish/Maintain Documentation Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Communicate Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)]
    Communicate Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Establish/Maintain Documentation Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)]
    Data and Information Management Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Business Processes Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Business Processes Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Process or Activity Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Process or Activity Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing. § 6-48.1-3.(b)
    A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data request procedures. CC ID 16546
    [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Establish/Maintain Documentation Preventive
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [{may not discriminate} No controller shall discriminate against a customer for exercising their customer rights. § 6-48.1-5.(b)
    {shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)]
    Human Resources Management Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{be different} {free of charge} Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium features, discount or club card programs that customers voluntarily participate. § 6-48.1-5.(d)]
    Business Processes Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Business Processes Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391
    [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    A customer shall have the right to: Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer. § 6-48.1-5.(e)(4)]
    Data and Information Management Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Business Processes Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Business Processes Preventive
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 Data and Information Management Preventive
    Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 Technical Security Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    {opt out} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Opting the customer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter. § 6-48.1-6.(b)(5)(ii)
    A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)]
    Business Processes Preventive
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Communicate Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Establish/Maintain Documentation Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Establish Roles Preventive
    Cooperate with Data Protection Authorities. CC ID 06870
    [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)]
    Data and Information Management Preventive
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b)
    A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Establish/Maintain Documentation Preventive
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Establish/Maintain Documentation Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 6-48.1-7.(c)(1)]
    Establish/Maintain Documentation Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Establish/Maintain Documentation Preventive
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Establish/Maintain Documentation Preventive
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Establish/Maintain Documentation Preventive
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Establish/Maintain Documentation Preventive
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Establish/Maintain Documentation Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Establish/Maintain Documentation Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of this chapter; § 6-48.1-7.(c)(3)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)]
    Establish/Maintain Documentation Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b)
    A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Assist another controller, processor or third party with any of the obligations of this chapter; or § 6-48.1-7.(o)(11)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and § 6-48.1-7.(c)(4)]
    Human Resources Management Preventive
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 6-48.1-7.(c)(2)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093
    [{be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Establish/Maintain Documentation Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Data and Information Management Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Data and Information Management Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Behavior Preventive
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Data and Information Management Preventive
    Document the law that requires restricted data to be collected. CC ID 00103 Establish/Maintain Documentation Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Behavior Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Behavior Preventive
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Establish/Maintain Documentation Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Establish/Maintain Documentation Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Establish/Maintain Documentation Preventive
    Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the customer or another individual, and where the processing cannot be manifestly based on another legal basis; § 6-48.1-7.(o)(8)]
    Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Establish/Maintain Documentation Preventive
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Behavior Preventive
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Establish/Maintain Documentation Preventive
    Dispose of media and restricted data in a timely manner. CC ID 00125 Data and Information Management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Records Management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Communicate Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Establish/Maintain Documentation Preventive
    Allow data subjects to submit data requests. CC ID 16545 Process or Activity Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Data and Information Management Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Data and Information Management Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Data and Information Management Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Data and Information Management Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Data and Information Management Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Establish/Maintain Documentation Preventive
    Define what is to be included in a data access request. CC ID 08699 Establish/Maintain Documentation Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Business Processes Preventive
    Respond to data access requests in a timely manner. CC ID 00421
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Behavior Preventive
    Respond to data access requests in an official language. CC ID 17176 Communicate Preventive
    Delay responding to data access requests, as necessary. CC ID 15504
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Data and Information Management Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Data and Information Management Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Behavior Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Behavior Detective
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Business Processes Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Process or Activity Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Establish/Maintain Documentation Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Data and Information Management Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Data and Information Management Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Establish/Maintain Documentation Preventive
    Submit personal data removal requests in writing. CC ID 11973 Records Management Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Establish/Maintain Documentation Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Records Management Corrective
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Establish/Maintain Documentation Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Process or Activity Preventive
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Establish/Maintain Documentation Preventive
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Behavior Preventive
    Refrain from processing restricted data, as necessary. CC ID 12551 Records Management Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)]
    Process or Activity Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers. § 6-48.1-4.(d)]
    Data and Information Management Preventive
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Data and Information Management Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Business Processes Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Business Processes Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Business Processes Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Business Processes Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Business Processes Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Business Processes Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Business Processes Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Business Processes Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Process or Activity Preventive
    Process restricted data lawfully and carefully. CC ID 00086
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Establish Roles Preventive
    Analyze requirements for processing personal data in contracts. CC ID 12550 Investigate Detective
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Technical Security Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Data and Information Management Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Communicate Corrective
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Records Management Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Data and Information Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Records Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Process or Activity Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Records Management Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Data and Information Management Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Establish/Maintain Documentation Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Data and Information Management Preventive
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Business Processes Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Establish/Maintain Documentation Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Establish/Maintain Documentation Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Data and Information Management Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Data and Information Management Preventive
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Business Processes Preventive
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Business Processes Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Data and Information Management Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Data and Information Management Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Data and Information Management Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Data and Information Management Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Data and Information Management Preventive
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Subject to suitable and specific measures to safeguard the rights of the customer whose personal data is being processed, and § 6-48.1-7.(o)(12)(i)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Under the responsibility of a professional subject to confidentiality obligations under federal, state or local law. § 6-48.1-7.(o)(12)(ii)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {refrain from adversely affecting} Nothing in this chapter shall be construed to: Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or § 6-48.1-7.(r)(1)]
    Data and Information Management Preventive
    Process traffic data in a controlled manner. CC ID 00130 Data and Information Management Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Data and Information Management Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Data and Information Management Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Data and Information Management Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Business Processes Preventive
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Communicate Corrective
    Process personal data for the purposes of employment. CC ID 16527 Data and Information Management Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Data and Information Management Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Data and Information Management Preventive
    Process personal data in order to advance the public interest. CC ID 00191
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: § 6-48.1-7.(o)(12)]
    Data and Information Management Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)]
    Data and Information Management Preventive
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Data and Information Management Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Data and Information Management Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Data and Information Management Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Data and Information Management Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Data and Information Management Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Data and Information Management Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Establish/Maintain Documentation Preventive
    Define opt-out exceptions for disclosing restricted data. CC ID 00159
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)
    {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Establish/Maintain Documentation Preventive
    Capture personal data removal requests. CC ID 13507
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)]
    Communicate Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)]
    Records Management Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Process or Activity Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Process or Activity Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Data and Information Management Preventive
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Data and Information Management Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Data and Information Management Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Data and Information Management Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Data and Information Management Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Behavior Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Data and Information Management Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Data and Information Management Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Establish/Maintain Documentation Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Data and Information Management Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Data and Information Management Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not use the personal data to recognize or respond to the specific customer who is the subject of the personal data, or associate the personal data with the other personal data about the same specific customer; and § 6-48.1-7.(l)(2)
    {refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 6-48.1-7.(l)(3)
    {time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)
    A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Establish/Maintain Documentation Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Data and Information Management Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Data and Information Management Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Data and Information Management Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Data and Information Management Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Data and Information Management Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Data and Information Management Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Data and Information Management Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Data and Information Management Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Data and Information Management Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Process or Activity Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Data and Information Management Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Data and Information Management Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Data and Information Management Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Data and Information Management Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Data and Information Management Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Data and Information Management Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Data and Information Management Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Data and Information Management Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Data and Information Management Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Data and Information Management Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Data and Information Management Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Data and Information Management Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)
    {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Data and Information Management Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Communicate Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Data and Information Management Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Process or Activity Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Data and Information Management Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Data and Information Management Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Communicate Preventive
    Provide data at a cost that is not excessive. CC ID 00430
    [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)
    {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Data and Information Management Preventive
    Provide records or data in a reasonable manner. CC ID 00431
    [A customer shall have the right to: Obtain a copy of the customer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay, where the processing is carried out by automated means; provided such controller shall not be required to reveal any trade secret; and § 6-48.1-5.(e)(3)]
    Data and Information Management Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Establish/Maintain Documentation Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269
    [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Data and Information Management Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Establish/Maintain Documentation Preventive
    Use personal data for specified purposes. CC ID 11831
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Data and Information Management Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Establish/Maintain Documentation Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Data and Information Management Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [Any controller in possession of de-identified data shall: Take reasonable measures to ensure that the data cannot be associated with an individual; § 6-48.1-7.(j)(1)
    Any controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 6-48.1-7.(j)(2)
    {refrain from requiring} Nothing in this chapter shall be construed to: Require a controller or processor to re-identify de-identified data or pseudonymous data; or § 6-48.1-7.(k)(1)
    {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Data and Information Management Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Data and Information Management Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)]
    Data and Information Management Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Data and Information Management Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Data and Information Management Preventive
    Change or destroy any personal data that is incorrect. CC ID 00462
    [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)]
    Data and Information Management Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Behavior Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Data and Information Management Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Data and Information Management Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Behavior Detective
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities; § 6-48.1-7.(o)(2)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(3)]
    Business Processes Corrective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Behavior Preventive
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under § 6-48.1-8. § 6-48.1-7.(d)
    {is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)]
    Establish/Maintain Documentation Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Establish/Maintain Documentation Preventive
    Define the appeal process based on the applicable law. CC ID 00506
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)
    {be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Establish/Maintain Documentation Preventive
    Define the fee structure for the appeal process. CC ID 16532 Process or Activity Preventive
    Define the time requirements for the appeal process. CC ID 16531 Process or Activity Preventive
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)]
    Communicate Preventive
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Communicate Preventive
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Data and Information Management Preventive
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Establish/Maintain Documentation Preventive
    Check the accuracy of restricted data. CC ID 00088 Data and Information Management Preventive
    Record restricted data correctly. CC ID 00089 Testing Detective
    Check the data accuracy of new accounts. CC ID 04859 Data and Information Management Preventive
    Use documents for identification that do not appear altered or forged. CC ID 04860 Establish/Maintain Documentation Preventive
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Testing Detective
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Data and Information Management Preventive
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Data and Information Management Preventive
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Data and Information Management Preventive
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Data and Information Management Preventive
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Data and Information Management Preventive
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Data and Information Management Preventive
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Data and Information Management Preventive
    Provide additional personal data when the application is incomplete. CC ID 04869 Data and Information Management Preventive
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Data and Information Management Detective
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Behavior Detective
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Data and Information Management Detective
    Interview appropriate parties to validate consumer information. CC ID 16902 Process or Activity Preventive
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Business Processes Detective
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Business Processes Preventive
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Process or Activity Preventive
  • Technical security
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Establish/Maintain Documentation Preventive
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Establish/Maintain Documentation Preventive
    Include termination procedures in the authorized representatives policy. CC ID 17226 Establish/Maintain Documentation Preventive
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Establish/Maintain Documentation Preventive
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Establish/Maintain Documentation Preventive
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Establish/Maintain Documentation Preventive
    Enforce access restrictions for restricted data. CC ID 01921
    [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)]
    Data and Information Management Preventive
  • Third Party and supply chain oversight
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Perform under a contract to which a customer is a party, including fulfilling the terms of a written warranty; § 6-48.1-7.(o)(6)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Take steps at the request of a customer prior to entering into a contract; § 6-48.1-7.(o)(7)]
    Establish/Maintain Documentation Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [Any controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter. § 6-48.1-7.(j)(3)]
    Establish/Maintain Documentation Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Process or Activity Detective
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [{is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)]
    Establish/Maintain Documentation Detective
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Communicate Preventive
    Include the audit scope in the third party external audit report. CC ID 13138 Establish/Maintain Documentation Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Establish/Maintain Documentation Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Business Processes Preventive
    Provide products or services per customer requests. CC ID 08893
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a customer; § 6-48.1-7.(o)(5)]
    Business Processes Preventive
Common Controls and
mandates by Type
92 Mandated Controls - bold    
51 Implied Controls - italic     342 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
485 Total
  • Acquisition/Sale of Assets or Services
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Monitoring and measurement Preventive
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition or sale of facilities, technology, and services Preventive
    Refrain from providing products and services, as necessary. CC ID 15580
    [{shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)]
    Acquisition or sale of facilities, technology, and services Preventive
  • Actionable Reports or Measurements
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Refrain from including restricted information in the incident response notification. CC ID 16806 Operational management Preventive
  • Audits and Risk Management
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Monitoring and measurement Preventive
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Human Resources management Detective
  • Behavior
    21
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Human Resources management Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781 Human Resources management Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Preventive
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Preventive
    Respond to data access requests in a timely manner. CC ID 00421
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Privacy protection for information and data Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Privacy protection for information and data Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Detective
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Privacy protection for information and data Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Preventive
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Privacy protection for information and data Preventive
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Privacy protection for information and data Detective
  • Business Processes
    38
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement a fraud detection system. CC ID 13081
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Monitoring and measurement Preventive
    Approve the system security plan. CC ID 14241 Monitoring and measurement Preventive
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Corrective
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Preventive
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Operational management Detective
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Preventive
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Corrective
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Privacy protection for information and data Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{be different} {free of charge} Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium features, discount or club card programs that customers voluntarily participate. § 6-48.1-5.(d)]
    Privacy protection for information and data Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Privacy protection for information and data Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Privacy protection for information and data Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    {opt out} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Opting the customer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter. § 6-48.1-6.(b)(5)(ii)
    A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)]
    Privacy protection for information and data Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Preventive
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Preventive
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Privacy protection for information and data Preventive
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Privacy protection for information and data Preventive
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Privacy protection for information and data Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Privacy protection for information and data Preventive
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities; § 6-48.1-7.(o)(2)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(3)]
    Privacy protection for information and data Corrective
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Privacy protection for information and data Detective
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Privacy protection for information and data Preventive
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Preventive
    Provide products or services per customer requests. CC ID 08893
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a customer; § 6-48.1-7.(o)(5)]
    Third Party and supply chain oversight Preventive
  • Communicate
    27
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} The attorney general may require a controller to disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available. The attorney general may evaluate the data protection assessment for compliance with responsibilities of this chapter. Data protection assessments shall be confidential and shall be exempt from disclosure pursuant to chapter 2 of title 38 ("access to public records"). To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection. § 6-48.1-7.(f)]
    Audits and risk management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Human Resources management Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Preventive
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Operational management Preventive
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Operational management Preventive
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Operational management Preventive
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Operational management Preventive
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Operational management Preventive
    Submit written requests to delay the notification of affected parties. CC ID 16783 Operational management Preventive
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Corrective
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Preventive
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Operational management Corrective
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)]
    Privacy protection for information and data Preventive
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Preventive
    Respond to data access requests in an official language. CC ID 17176 Privacy protection for information and data Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Corrective
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Corrective
    Capture personal data removal requests. CC ID 13507
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)]
    Privacy protection for information and data Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Privacy protection for information and data Preventive
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)]
    Privacy protection for information and data Preventive
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Privacy protection for information and data Preventive
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Preventive
  • Data and Information Management
    138
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce access restrictions for restricted data. CC ID 01921
    [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)]
    Technical security Preventive
    Redact restricted data before sharing incident information. CC ID 16994 Operational management Preventive
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Operational management Preventive
    Include a description of the restored data in the restoration log. CC ID 15462 Operational management Preventive
    Destroy investigative materials, as necessary. CC ID 17082 Operational management Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Privacy protection for information and data Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)]
    Privacy protection for information and data Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391
    [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    A customer shall have the right to: Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer. § 6-48.1-5.(e)(4)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 Privacy protection for information and data Preventive
    Cooperate with Data Protection Authorities. CC ID 06870
    [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)]
    Privacy protection for information and data Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Preventive
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Preventive
    Dispose of media and restricted data in a timely manner. CC ID 00125 Privacy protection for information and data Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Preventive
    Delay responding to data access requests, as necessary. CC ID 15504
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Privacy protection for information and data Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers. § 6-48.1-4.(d)]
    Privacy protection for information and data Preventive
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Privacy protection for information and data Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Preventive
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Subject to suitable and specific measures to safeguard the rights of the customer whose personal data is being processed, and § 6-48.1-7.(o)(12)(i)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Under the responsibility of a professional subject to confidentiality obligations under federal, state or local law. § 6-48.1-7.(o)(12)(ii)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {refrain from adversely affecting} Nothing in this chapter shall be construed to: Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or § 6-48.1-7.(r)(1)]
    Privacy protection for information and data Preventive
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Preventive
    Process personal data for the purposes of employment. CC ID 16527 Privacy protection for information and data Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Preventive
    Process personal data in order to advance the public interest. CC ID 00191
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: § 6-48.1-7.(o)(12)]
    Privacy protection for information and data Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)]
    Privacy protection for information and data Preventive
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Privacy protection for information and data Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Privacy protection for information and data Preventive
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Privacy protection for information and data Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Privacy protection for information and data Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)
    {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Privacy protection for information and data Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Privacy protection for information and data Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Preventive
    Provide data at a cost that is not excessive. CC ID 00430
    [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)
    {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Privacy protection for information and data Preventive
    Provide records or data in a reasonable manner. CC ID 00431
    [A customer shall have the right to: Obtain a copy of the customer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay, where the processing is carried out by automated means; provided such controller shall not be required to reveal any trade secret; and § 6-48.1-5.(e)(3)]
    Privacy protection for information and data Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269
    [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Privacy protection for information and data Preventive
    Use personal data for specified purposes. CC ID 11831
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Privacy protection for information and data Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [Any controller in possession of de-identified data shall: Take reasonable measures to ensure that the data cannot be associated with an individual; § 6-48.1-7.(j)(1)
    Any controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 6-48.1-7.(j)(2)
    {refrain from requiring} Nothing in this chapter shall be construed to: Require a controller or processor to re-identify de-identified data or pseudonymous data; or § 6-48.1-7.(k)(1)
    {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Privacy protection for information and data Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)]
    Privacy protection for information and data Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Preventive
    Change or destroy any personal data that is incorrect. CC ID 00462
    [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)]
    Privacy protection for information and data Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Corrective
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Privacy protection for information and data Preventive
    Check the accuracy of restricted data. CC ID 00088 Privacy protection for information and data Preventive
    Check the data accuracy of new accounts. CC ID 04859 Privacy protection for information and data Preventive
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Privacy protection for information and data Preventive
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Privacy protection for information and data Preventive
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Privacy protection for information and data Preventive
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Privacy protection for information and data Preventive
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Privacy protection for information and data Preventive
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Privacy protection for information and data Preventive
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Privacy protection for information and data Preventive
    Provide additional personal data when the application is incomplete. CC ID 04869 Privacy protection for information and data Preventive
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Privacy protection for information and data Detective
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Privacy protection for information and data Detective
  • Establish Roles
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Define and assign the data controller's roles and responsibilities. CC ID 00471
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: § 6-48.1-3.(a)]
    Human Resources management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Preventive
    Process restricted data lawfully and carefully. CC ID 00086
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Privacy protection for information and data Preventive
  • Establish/Maintain Documentation
    176
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption. § 6-48.1-7.(t)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Monitoring and measurement Preventive
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Preventive
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Preventive
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Preventive
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Monitoring and measurement Preventive
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Preventive
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Preventive
    Include backup and recovery procedures in the system security plan. CC ID 17043 Monitoring and measurement Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Preventive
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Preventive
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Preventive
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Preventive
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Preventive
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Audits and risk management Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Preventive
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Technical security Preventive
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Technical security Preventive
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Technical security Preventive
    Include termination procedures in the authorized representatives policy. CC ID 17226 Technical security Preventive
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Technical security Preventive
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Technical security Preventive
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Technical security Preventive
    Establish, implement, and maintain a legal support program. CC ID 13710
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for or defend legal claims; § 6-48.1-7.(o)(4)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Human Resources management Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Operational management Preventive
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Operational management Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(1)]
    Operational management Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Preventive
    Establish, implement, and maintain an incident management policy. CC ID 16414 Operational management Preventive
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Operational management Preventive
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Operational management Preventive
    Include a definition of affected parties in the incident criteria. CC ID 17179 Operational management Preventive
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Operational management Preventive
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Preventive
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Operational management Preventive
    Include corrective actions in the forensic investigation report. CC ID 17070 Operational management Preventive
    Include the investigation results in the forensic investigation report. CC ID 17069 Operational management Preventive
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Operational management Preventive
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Operational management Preventive
    Establish, implement, and maintain incident response notifications. CC ID 12975 Operational management Corrective
    Include the affected parties rights in the incident response notification. CC ID 16811 Operational management Preventive
    Include the incident classification criteria in incident response notifications. CC ID 17293 Operational management Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Operational management Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Operational management Preventive
    Include the incident reference code in incident response notifications. CC ID 17292 Operational management Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Operational management Preventive
    Include activations of the business continuity plan in incident response notifications. CC ID 17295 Operational management Preventive
    Include costs associated with the incident in incident response notifications. CC ID 17300 Operational management Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Operational management Preventive
    Include contact information in the substitute incident response notification. CC ID 16776 Operational management Preventive
    Establish, implement, and maintain a containment strategy. CC ID 13480 Operational management Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Operational management Preventive
    Include response times in the containment strategy. CC ID 13485 Operational management Preventive
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Operational management Preventive
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Operational management Preventive
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Operational management Preventive
    Include corrective actions in the incident management audit log. CC ID 16466 Operational management Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Preventive
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Detective
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Preventive
    Include contact information in the privacy notice. CC ID 14432
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller. § 6-48.1-3.(a)(3)]
    Privacy protection for information and data Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Privacy protection for information and data Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and § 6-48.1-3.(a)(2)]
    Privacy protection for information and data Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all categories of personal data that the controller collects through the website or online service about customers; § 6-48.1-3.(a)(1)]
    Privacy protection for information and data Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing. § 6-48.1-3.(b)
    A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Privacy protection for information and data Preventive
    Establish, implement, and maintain data request procedures. CC ID 16546
    [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Preventive
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b)
    A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Preventive
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Privacy protection for information and data Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 6-48.1-7.(c)(1)]
    Privacy protection for information and data Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Preventive
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Preventive
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Preventive
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Preventive
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)]
    Privacy protection for information and data Preventive
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of this chapter; § 6-48.1-7.(c)(3)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)]
    Privacy protection for information and data Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b)
    A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Assist another controller, processor or third party with any of the obligations of this chapter; or § 6-48.1-7.(o)(11)]
    Privacy protection for information and data Preventive
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 6-48.1-7.(c)(2)]
    Privacy protection for information and data Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093
    [{be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Privacy protection for information and data Preventive
    Document the law that requires restricted data to be collected. CC ID 00103 Privacy protection for information and data Preventive
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Preventive
    Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the customer or another individual, and where the processing cannot be manifestly based on another legal basis; § 6-48.1-7.(o)(8)]
    Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Privacy protection for information and data Preventive
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Privacy protection for information and data Preventive
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Privacy protection for information and data Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Preventive
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Preventive
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Preventive
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Privacy protection for information and data Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Privacy protection for information and data Preventive
    Define opt-out exceptions for disclosing restricted data. CC ID 00159
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)
    {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Privacy protection for information and data Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not use the personal data to recognize or respond to the specific customer who is the subject of the personal data, or associate the personal data with the other personal data about the same specific customer; and § 6-48.1-7.(l)(2)
    {refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 6-48.1-7.(l)(3)
    {time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)
    A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under § 6-48.1-8. § 6-48.1-7.(d)
    {is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)]
    Privacy protection for information and data Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Preventive
    Define the appeal process based on the applicable law. CC ID 00506
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)
    {be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Preventive
    Use documents for identification that do not appear altered or forged. CC ID 04860 Privacy protection for information and data Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Perform under a contract to which a customer is a party, including fulfilling the terms of a written warranty; § 6-48.1-7.(o)(6)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Take steps at the request of a customer prior to entering into a contract; § 6-48.1-7.(o)(7)]
    Third Party and supply chain oversight Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [Any controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter. § 6-48.1-7.(j)(3)]
    Third Party and supply chain oversight Preventive
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [{is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)]
    Third Party and supply chain oversight Detective
    Include the audit scope in the third party external audit report. CC ID 13138 Third Party and supply chain oversight Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Third Party and supply chain oversight Detective
  • Human Resources Management
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain an ethics program. CC ID 11496
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Human Resources management Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Human Resources management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Preventive
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [{may not discriminate} No controller shall discriminate against a customer for exercising their customer rights. § 6-48.1-5.(b)
    {shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)]
    Privacy protection for information and data Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and § 6-48.1-7.(c)(4)]
    Privacy protection for information and data Preventive
  • IT Impact Zone
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Preventive
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Operational management Detective
    Identify the affected parties during incident investigations. CC ID 16781 Operational management Detective
    Interview suspects during incident investigations, as necessary. CC ID 14041 Operational management Detective
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Operational management Detective
    Analyze requirements for processing personal data in contracts. CC ID 12550 Privacy protection for information and data Detective
  • Log Management
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain monitoring and logging operations. CC ID 00637 Monitoring and measurement Detective
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Operational management Preventive
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Operational management Preventive
  • Monitor and Evaluate Occurrences
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Detective
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)]
    Monitoring and measurement Detective
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Human Resources management Preventive
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Operational management Detective
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Operational management Detective
    Escalate incidents, as necessary. CC ID 14861 Operational management Corrective
  • Process or Activity
    29
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Corrective
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Preventive
    Correct compliance violations. CC ID 13515
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)]
    Monitoring and measurement Corrective
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes: § 6-48.1-7.(e)
    {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 6-48.1-7.(g)
    {be similar} If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section. § 6-48.1-7.(h)]
    Audits and risk management Preventive
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Operational management Detective
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Operational management Detective
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Operational management Detective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Operational management Corrective
    Revoke the written request to delay the notification. CC ID 16843 Operational management Preventive
    Post the incident response notification on the organization's website. CC ID 16809 Operational management Preventive
    Document the determination for providing a substitute incident response notification. CC ID 16841 Operational management Preventive
    Conduct incident investigations, as necessary. CC ID 13826 Operational management Detective
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Preventive
    Allow data subjects to submit data requests. CC ID 16545 Privacy protection for information and data Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)]
    Privacy protection for information and data Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Preventive
    Define the fee structure for the appeal process. CC ID 16532 Privacy protection for information and data Preventive
    Define the time requirements for the appeal process. CC ID 16531 Privacy protection for information and data Preventive
    Interview appropriate parties to validate consumer information. CC ID 16902 Privacy protection for information and data Preventive
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Privacy protection for information and data Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Detective
  • Records Management
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Preventive
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Corrective
    Refrain from processing restricted data, as necessary. CC ID 12551 Privacy protection for information and data Preventive
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Privacy protection for information and data Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)]
    Privacy protection for information and data Preventive
  • Technical Security
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Wipe data and memory after an incident has been detected. CC ID 16850 Operational management Corrective
    Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 Privacy protection for information and data Preventive
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Privacy protection for information and data Preventive
  • Testing
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a system security plan. CC ID 01922
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Monitoring and measurement Preventive
    Test incident monitoring procedures. CC ID 13194 Operational management Detective
    Record restricted data correctly. CC ID 00089 Privacy protection for information and data Detective
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Privacy protection for information and data Detective
Common Controls and
mandates by Classification
92 Mandated Controls - bold    
51 Implied Controls - italic     342 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
485 Total
  • Corrective
    17
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Process or Activity
    Correct compliance violations. CC ID 13515
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)]
    Monitoring and measurement Process or Activity
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Business Processes
    Escalate incidents, as necessary. CC ID 14861 Operational management Monitor and Evaluate Occurrences
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Operational management Process or Activity
    Wipe data and memory after an incident has been detected. CC ID 16850 Operational management Technical Security
    Establish, implement, and maintain incident response notifications. CC ID 12975 Operational management Establish/Maintain Documentation
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Communicate
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Business Processes
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Operational management Communicate
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Records Management
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Communicate
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Communicate
    Change or destroy any personal data that is incorrect. CC ID 00462
    [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)]
    Privacy protection for information and data Data and Information Management
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Behavior
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Data and Information Management
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities; § 6-48.1-7.(o)(2)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(3)]
    Privacy protection for information and data Business Processes
  • Detective
    32
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain monitoring and logging operations. CC ID 00637 Monitoring and measurement Log Management
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Human Resources management Audits and Risk Management
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Operational management Business Processes
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Operational management Process or Activity
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Operational management Process or Activity
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Operational management Process or Activity
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Operational management Monitor and Evaluate Occurrences
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Operational management Monitor and Evaluate Occurrences
    Test incident monitoring procedures. CC ID 13194 Operational management Testing
    Conduct incident investigations, as necessary. CC ID 13826 Operational management Process or Activity
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Operational management Investigate
    Identify the affected parties during incident investigations. CC ID 16781 Operational management Investigate
    Interview suspects during incident investigations, as necessary. CC ID 14041 Operational management Investigate
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Operational management Investigate
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Establish/Maintain Documentation
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Privacy protection for information and data Behavior
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Behavior
    Analyze requirements for processing personal data in contracts. CC ID 12550 Privacy protection for information and data Investigate
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Data and Information Management
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Behavior
    Record restricted data correctly. CC ID 00089 Privacy protection for information and data Testing
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Privacy protection for information and data Testing
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Privacy protection for information and data Data and Information Management
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Privacy protection for information and data Behavior
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Privacy protection for information and data Data and Information Management
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Privacy protection for information and data Business Processes
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Process or Activity
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [{is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Third Party and supply chain oversight Establish/Maintain Documentation
  • IT Impact Zone
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    428
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption. § 6-48.1-7.(t)]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Monitoring and measurement Audits and Risk Management
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Monitoring and measurement Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Monitoring and measurement Establish/Maintain Documentation
    Implement a fraud detection system. CC ID 13081
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Monitoring and measurement Business Processes
    Establish, implement, and maintain a system security plan. CC ID 01922
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Monitoring and measurement Testing
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Establish/Maintain Documentation
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Establish/Maintain Documentation
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Establish/Maintain Documentation
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Monitoring and measurement Establish/Maintain Documentation
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Establish/Maintain Documentation
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Establish/Maintain Documentation
    Include backup and recovery procedures in the system security plan. CC ID 17043 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Establish/Maintain Documentation
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Communicate
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Establish/Maintain Documentation
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Establish/Maintain Documentation
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Establish/Maintain Documentation
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Process or Activity
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Establish/Maintain Documentation
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Establish/Maintain Documentation
    Approve the system security plan. CC ID 14241 Monitoring and measurement Business Processes
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Establish/Maintain Documentation
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Establish/Maintain Documentation
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Establish/Maintain Documentation
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Establish/Maintain Documentation
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Establish/Maintain Documentation
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Establish/Maintain Documentation
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Communicate
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Establish/Maintain Documentation
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Establish/Maintain Documentation
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Establish/Maintain Documentation
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Establish/Maintain Documentation
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Establish/Maintain Documentation
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes: § 6-48.1-7.(e)
    {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 6-48.1-7.(g)
    {be similar} If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section. § 6-48.1-7.(h)]
    Audits and risk management Process or Activity
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} The attorney general may require a controller to disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available. The attorney general may evaluate the data protection assessment for compliance with responsibilities of this chapter. Data protection assessments shall be confidential and shall be exempt from disclosure pursuant to chapter 2 of title 38 ("access to public records"). To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection. § 6-48.1-7.(f)]
    Audits and risk management Communicate
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)
    {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Technical security Establish/Maintain Documentation
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Technical security Establish/Maintain Documentation
    Include termination procedures in the authorized representatives policy. CC ID 17226 Technical security Establish/Maintain Documentation
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Technical security Establish/Maintain Documentation
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Technical security Establish/Maintain Documentation
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Technical security Establish/Maintain Documentation
    Enforce access restrictions for restricted data. CC ID 01921
    [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)]
    Technical security Data and Information Management
    Define and assign the data controller's roles and responsibilities. CC ID 00471
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: § 6-48.1-3.(a)]
    Human Resources management Establish Roles
    Establish, implement, and maintain a legal support program. CC ID 13710
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for or defend legal claims; § 6-48.1-7.(o)(4)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain an ethics program. CC ID 11496
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Human Resources management Human Resources Management
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Human Resources management Communicate
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Human Resources management Behavior
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Investigate
    Establish, implement, and maintain an ethical culture. CC ID 12781 Human Resources management Behavior
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Monitor and Evaluate Occurrences
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Human Resources management Monitor and Evaluate Occurrences
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Business Processes
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Business Processes
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Communicate
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Establish/Maintain Documentation
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Behavior
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Behavior
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Behavior
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Human Resources management Human Resources Management
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Human Resources Management
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Human Resources Management
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Establish Roles
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Behavior
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Behavior
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Behavior
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Establish/Maintain Documentation
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Operational management Establish/Maintain Documentation
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Operational management Establish/Maintain Documentation
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Operational management Establish/Maintain Documentation
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Business Processes
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(1)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Business Processes
    Establish, implement, and maintain an incident management policy. CC ID 16414 Operational management Establish/Maintain Documentation
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Operational management Communicate
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Operational management Establish/Maintain Documentation
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Operational management Establish/Maintain Documentation
    Include a definition of affected parties in the incident criteria. CC ID 17179 Operational management Establish/Maintain Documentation
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Operational management Establish/Maintain Documentation
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Establish/Maintain Documentation
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Operational management Establish/Maintain Documentation
    Include corrective actions in the forensic investigation report. CC ID 17070 Operational management Establish/Maintain Documentation
    Include the investigation results in the forensic investigation report. CC ID 17069 Operational management Establish/Maintain Documentation
    Redact restricted data before sharing incident information. CC ID 16994 Operational management Data and Information Management
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Operational management Communicate
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Operational management Communicate
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Operational management Establish/Maintain Documentation
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Operational management Communicate
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Operational management Communicate
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Operational management Establish/Maintain Documentation
    Submit written requests to delay the notification of affected parties. CC ID 16783 Operational management Communicate
    Revoke the written request to delay the notification. CC ID 16843 Operational management Process or Activity
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Business Processes
    Refrain from including restricted information in the incident response notification. CC ID 16806 Operational management Actionable Reports or Measurements
    Include the affected parties rights in the incident response notification. CC ID 16811 Operational management Establish/Maintain Documentation
    Include the incident classification criteria in incident response notifications. CC ID 17293 Operational management Establish/Maintain Documentation
    Include details of the investigation in incident response notifications. CC ID 12296 Operational management Establish/Maintain Documentation
    Include the issuer's name in incident response notifications. CC ID 12062 Operational management Establish/Maintain Documentation
    Include the incident reference code in incident response notifications. CC ID 17292 Operational management Establish/Maintain Documentation
    Include the identification of the data source in incident response notifications. CC ID 12305 Operational management Establish/Maintain Documentation
    Include activations of the business continuity plan in incident response notifications. CC ID 17295 Operational management Establish/Maintain Documentation
    Include costs associated with the incident in incident response notifications. CC ID 17300 Operational management Establish/Maintain Documentation
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Operational management Establish/Maintain Documentation
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Communicate
    Post the incident response notification on the organization's website. CC ID 16809 Operational management Process or Activity
    Document the determination for providing a substitute incident response notification. CC ID 16841 Operational management Process or Activity
    Include contact information in the substitute incident response notification. CC ID 16776 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a containment strategy. CC ID 13480 Operational management Establish/Maintain Documentation
    Include the containment approach in the containment strategy. CC ID 13486 Operational management Establish/Maintain Documentation
    Include response times in the containment strategy. CC ID 13485 Operational management Establish/Maintain Documentation
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Operational management Data and Information Management
    Include a description of the restored data in the restoration log. CC ID 15462 Operational management Data and Information Management
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Operational management Establish/Maintain Documentation
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Operational management Establish/Maintain Documentation
    Destroy investigative materials, as necessary. CC ID 17082 Operational management Data and Information Management
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Operational management Log Management
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Operational management Log Management
    Include corrective actions in the incident management audit log. CC ID 16466 Operational management Establish/Maintain Documentation
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)]
    Operational management Establish/Maintain Documentation
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Refrain from providing products and services, as necessary. CC ID 15580
    [{shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)]
    Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Privacy protection for information and data Data and Information Management
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Establish/Maintain Documentation
    Include contact information in the privacy notice. CC ID 14432
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller. § 6-48.1-3.(a)(3)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and § 6-48.1-3.(a)(2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all categories of personal data that the controller collects through the website or online service about customers; § 6-48.1-3.(a)(1)]
    Privacy protection for information and data Establish/Maintain Documentation
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)]
    Privacy protection for information and data Communicate
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)]
    Privacy protection for information and data Data and Information Management
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Privacy protection for information and data Business Processes
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Business Processes
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Process or Activity
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Process or Activity
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing. § 6-48.1-3.(b)
    A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)]
    Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data request procedures. CC ID 16546
    [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)]
    Privacy protection for information and data Establish/Maintain Documentation
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [{may not discriminate} No controller shall discriminate against a customer for exercising their customer rights. § 6-48.1-5.(b)
    {shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)]
    Privacy protection for information and data Human Resources Management
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{be different} {free of charge} Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium features, discount or club card programs that customers voluntarily participate. § 6-48.1-5.(d)]
    Privacy protection for information and data Business Processes
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Business Processes
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391
    [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    A customer shall have the right to: Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer. § 6-48.1-5.(e)(4)]
    Privacy protection for information and data Data and Information Management
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Privacy protection for information and data Business Processes
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Privacy protection for information and data Business Processes
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 Privacy protection for information and data Technical Security
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e)
    {opt out} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Opting the customer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter. § 6-48.1-6.(b)(5)(ii)
    A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)]
    Privacy protection for information and data Business Processes
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Communicate
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Establish/Maintain Documentation
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Establish Roles
    Cooperate with Data Protection Authorities. CC ID 06870
    [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b)
    A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Privacy protection for information and data Establish/Maintain Documentation
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 6-48.1-7.(c)(1)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Establish/Maintain Documentation
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of this chapter; § 6-48.1-7.(c)(3)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b)
    A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Assist another controller, processor or third party with any of the obligations of this chapter; or § 6-48.1-7.(o)(11)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and § 6-48.1-7.(c)(4)]
    Privacy protection for information and data Human Resources Management
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 6-48.1-7.(c)(2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093
    [{be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Privacy protection for information and data Establish/Maintain Documentation
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Data and Information Management
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Data and Information Management
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Behavior
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Data and Information Management
    Document the law that requires restricted data to be collected. CC ID 00103 Privacy protection for information and data Establish/Maintain Documentation
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Behavior
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Behavior
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Establish/Maintain Documentation
    Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the customer or another individual, and where the processing cannot be manifestly based on another legal basis; § 6-48.1-7.(o)(8)]
    Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Privacy protection for information and data Establish/Maintain Documentation
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Behavior
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Establish/Maintain Documentation
    Dispose of media and restricted data in a timely manner. CC ID 00125 Privacy protection for information and data Data and Information Management
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Records Management
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Communicate
    Establish, implement, and maintain data access procedures. CC ID 00414
    [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Allow data subjects to submit data requests. CC ID 16545 Privacy protection for information and data Process or Activity
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Data and Information Management
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Data and Information Management
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Data and Information Management
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Data and Information Management
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Data and Information Management
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Establish/Maintain Documentation
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Business Processes
    Respond to data access requests in a timely manner. CC ID 00421
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Privacy protection for information and data Behavior
    Respond to data access requests in an official language. CC ID 17176 Privacy protection for information and data Communicate
    Delay responding to data access requests, as necessary. CC ID 15504
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Privacy protection for information and data Data and Information Management
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Data and Information Management
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Business Processes
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Process or Activity
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Establish/Maintain Documentation
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Data and Information Management
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Establish/Maintain Documentation
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Records Management
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Establish/Maintain Documentation
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Establish/Maintain Documentation
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Privacy protection for information and data Establish/Maintain Documentation
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Privacy protection for information and data Behavior
    Refrain from processing restricted data, as necessary. CC ID 12551 Privacy protection for information and data Records Management
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)]
    Privacy protection for information and data Process or Activity
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers. § 6-48.1-4.(d)]
    Privacy protection for information and data Data and Information Management
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Business Processes
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Business Processes
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Business Processes
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Business Processes
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Process or Activity
    Process restricted data lawfully and carefully. CC ID 00086
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Privacy protection for information and data Establish Roles
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Privacy protection for information and data Technical Security
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Data and Information Management
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Privacy protection for information and data Records Management
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Data and Information Management
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Privacy protection for information and data Records Management
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data Process or Activity
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Privacy protection for information and data Records Management
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Data and Information Management
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Establish/Maintain Documentation
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Data and Information Management
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Privacy protection for information and data Business Processes
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Establish/Maintain Documentation
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Establish/Maintain Documentation
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Data and Information Management
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Data and Information Management
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Privacy protection for information and data Business Processes
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Privacy protection for information and data Business Processes
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Data and Information Management
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Data and Information Management
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Data and Information Management
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Data and Information Management
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Data and Information Management
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Data and Information Management
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Data and Information Management
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Subject to suitable and specific measures to safeguard the rights of the customer whose personal data is being processed, and § 6-48.1-7.(o)(12)(i)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Under the responsibility of a professional subject to confidentiality obligations under federal, state or local law. § 6-48.1-7.(o)(12)(ii)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {refrain from adversely affecting} Nothing in this chapter shall be construed to: Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or § 6-48.1-7.(r)(1)]
    Privacy protection for information and data Data and Information Management
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Data and Information Management
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Data and Information Management
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Data and Information Management
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Privacy protection for information and data Business Processes
    Process personal data for the purposes of employment. CC ID 16527 Privacy protection for information and data Data and Information Management
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Data and Information Management
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Data and Information Management
    Process personal data in order to advance the public interest. CC ID 00191
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: § 6-48.1-7.(o)(12)]
    Privacy protection for information and data Data and Information Management
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)]
    Privacy protection for information and data Data and Information Management
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Privacy protection for information and data Data and Information Management
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Data and Information Management
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Data and Information Management
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Data and Information Management
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Data and Information Management
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Data and Information Management
    Define the exceptions to disclosure absent consent. CC ID 00135 Privacy protection for information and data Establish/Maintain Documentation
    Define opt-out exceptions for disclosing restricted data. CC ID 00159
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)
    {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Establish/Maintain Documentation
    Capture personal data removal requests. CC ID 13507
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)]
    Privacy protection for information and data Communicate
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)]
    Privacy protection for information and data Records Management
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Privacy protection for information and data Process or Activity
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Privacy protection for information and data Data and Information Management
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198
    [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)]
    Privacy protection for information and data Data and Information Management
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Data and Information Management
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Data and Information Management
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Data and Information Management
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Behavior
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Data and Information Management
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Data and Information Management
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Data and Information Management
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Data and Information Management
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Establish/Maintain Documentation
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Data and Information Management
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Data and Information Management
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Data and Information Management
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not use the personal data to recognize or respond to the specific customer who is the subject of the personal data, or associate the personal data with the other personal data about the same specific customer; and § 6-48.1-7.(l)(2)
    {refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 6-48.1-7.(l)(3)
    {time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)
    A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Privacy protection for information and data Data and Information Management
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Data and Information Management
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Data and Information Management
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Process or Activity
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Data and Information Management
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Data and Information Management
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Data and Information Management
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Data and Information Management
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Data and Information Management
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Data and Information Management
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)
    {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Privacy protection for information and data Data and Information Management
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Communicate
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Data and Information Management
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Process or Activity
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Privacy protection for information and data Data and Information Management
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Data and Information Management
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)]
    Privacy protection for information and data Communicate
    Provide data at a cost that is not excessive. CC ID 00430
    [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)
    {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)]
    Privacy protection for information and data Data and Information Management
    Provide records or data in a reasonable manner. CC ID 00431
    [A customer shall have the right to: Obtain a copy of the customer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay, where the processing is carried out by automated means; provided such controller shall not be required to reveal any trade secret; and § 6-48.1-5.(e)(3)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from collecting personal data, as necessary. CC ID 15269
    [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Establish/Maintain Documentation
    Use personal data for specified purposes. CC ID 11831
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Establish/Maintain Documentation
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3)
    The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4)
    {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [Any controller in possession of de-identified data shall: Take reasonable measures to ensure that the data cannot be associated with an individual; § 6-48.1-7.(j)(1)
    Any controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 6-48.1-7.(j)(2)
    {refrain from requiring} Nothing in this chapter shall be construed to: Require a controller or processor to re-identify de-identified data or pseudonymous data; or § 6-48.1-7.(k)(1)
    {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)]
    Privacy protection for information and data Data and Information Management
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Data and Information Management
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)]
    Privacy protection for information and data Data and Information Management
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Data and Information Management
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Data and Information Management
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Data and Information Management
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Privacy protection for information and data Behavior
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under § 6-48.1-8. § 6-48.1-7.(d)
    {is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Establish/Maintain Documentation
    Define the appeal process based on the applicable law. CC ID 00506
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)
    {be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define the fee structure for the appeal process. CC ID 16532 Privacy protection for information and data Process or Activity
    Define the time requirements for the appeal process. CC ID 16531 Privacy protection for information and data Process or Activity
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)]
    Privacy protection for information and data Communicate
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)]
    Privacy protection for information and data Communicate
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)]
    Privacy protection for information and data Establish/Maintain Documentation
    Check the accuracy of restricted data. CC ID 00088 Privacy protection for information and data Data and Information Management
    Check the data accuracy of new accounts. CC ID 04859 Privacy protection for information and data Data and Information Management
    Use documents for identification that do not appear altered or forged. CC ID 04860 Privacy protection for information and data Establish/Maintain Documentation
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Privacy protection for information and data Data and Information Management
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Privacy protection for information and data Data and Information Management
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Privacy protection for information and data Data and Information Management
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Privacy protection for information and data Data and Information Management
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Privacy protection for information and data Data and Information Management
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Privacy protection for information and data Data and Information Management
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Privacy protection for information and data Data and Information Management
    Provide additional personal data when the application is incomplete. CC ID 04869 Privacy protection for information and data Data and Information Management
    Interview appropriate parties to validate consumer information. CC ID 16902 Privacy protection for information and data Process or Activity
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Privacy protection for information and data Business Processes
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Perform under a contract to which a customer is a party, including fulfilling the terms of a written warranty; § 6-48.1-7.(o)(6)
    This chapter shall not be construed to restrict a controller's or processor's ability to: Take steps at the request of a customer prior to entering into a contract; § 6-48.1-7.(o)(7)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [Any controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter. § 6-48.1-7.(j)(3)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Communicate
    Include the audit scope in the third party external audit report. CC ID 13138 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Business Processes
    Provide products or services per customer requests. CC ID 08893
    [This chapter shall not be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a customer; § 6-48.1-7.(o)(5)]
    Third Party and supply chain oversight Business Processes