Global CBPR & PRP Certification

The privacy notice or statement must provide clear and easily accessible statements about your practices and policies that govern personal information and must include the following:

Collection of Publicly-Available Information: Personal information controllers do not need to provide notice regarding the collection and use of publicly available information.

Technological Impracticability: Personal Information controllers do not need to provide notice at or before the time of collection in those cases where electronic technology automatically collects information when a prospective customer initiates contact (e.g. through the use of cookies). However, the notice should be provided to the individuals as soon after as is practicable.

Disclosure to a government institution which has made a request for the information with lawful authority: Personal information controllers do not need to provide notice of disclosure to law enforcement agencies for investigation purposes where the provision of such notice to the individual will likely prejudice the investigation.

Disclosure to a third party pursuant to a lawful form of process: Personal information controllers do not need to provide notice of disclosure to a third party when such disclosure was requested pursuant to a lawful form of process such as a discovery request made in the course of civil litigation.

Third-Party Receipt: Where personal information is received from a third party, the recipient personal information controller does not need to provide notice to the individuals at or before the time of collection of the information.

For legitimate investigation purposes: When providing notice would compromise the availability or accuracy of the information and the collection, use and disclosure are reasonable for purposes relating to an internal or external investigation of a violation of a code of conduct, breach of contract or a contravention of domestic law.

Action in the event of an emergency: Personal Information controllers do not need to provide notice in emergency situations that threaten the life, health or security of an individual.

1. The collection of personal information must be limited to information that is relevant to the purposes of collection, consistent with the requirements of the jurisdiction where data was collected, and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned.
2. Identify the type of data collected, the economies where data is collected, the source (i.e., the individual or a third party) and the corresponding purposes and use of collection for each type of data.

1. Personal information collected must be used only to fulfill the purposes of collection and other compatible or related purposes as identified in the privacy statement and/or in the notice provided at the time of collection except for one of the following:
   1. With the consent of the individual whose personal information is collected;
      1. Consent must be a documented description or documentation that consent was obtained
   2. When necessary to provide a service or product requested by the individual; or
      1. A description must be documented of how the disclosure and/or transfer of collected personal information is necessary to provide a service or product requested by the individual
   3. By the authority of law and other legal instruments, proclamations and pronouncements of legal effect.
      1. A description must be documented of how collected information shared, used or disclosed as compelled by law including the legal requirements under which it is compelled to share the personal information, unless the client is bound by confidentiality requirements for the purposes of this Principle, uses of personal information include the transfer or disclosure of personal information.
2. If personal information is disclosed to other personal information controllers or transferred to processors, such disclosure and/or transfer must be undertaken to fulfill the original purpose of collection or another compatible or related purpose, unless based upon the express consent of the individual necessary to provide a service or product requested by the individual or compelled by law.
   1. Identify the type of data disclosed or transferred, the economies where data was transferred, the corresponding purpose of collection for each type of disclosed data, and the manner in which the disclosure fulfills the identified purpose (e.g. order fulfillment etc.).

1. A mechanism* must be provided for individuals to exercise choice in relation to the collection of their personal information.
2. A mechanism* must be provided for individuals to exercise choice in relation to the use of their personal information. Subject to the qualifications* outlined below, the opportunity to exercise choice should be provided to the individual at the time of collection, for subsequent uses of personal information. The opportunity to exercise choice may be provided to the individual after collection, but before:
   1. Being able to make use of the personal information, when the purposes of such use is not related or compatible to the purpose for which the information was collected, and
   2. Personal information may be disclosed or distributed to third parties, other than Service Providers.
3. A mechanism* must be provided for individuals to exercise choice in relation to the disclosure of their personal information. Subject to the qualifications outlined below, the opportunity to exercise choice should be provided to the individual at the time of collection, for subsequent disclosures of personal information. The opportunity to exercise choice may be provided to the individual after collection, but before:
   1. Disclosing the personal information to third parties, other than Service Providers.
4. Choices must be displayed or provided in a clear and conspicuous manner, clearly worded and easily understandable, and easily accessible and affordable.
   

*The following are situations in which the application of the Global CBPR Choice Principle may not be necessary or practical. Justification for any of the following will be required.

Obviousness: Personal Information controllers do not need to provide a mechanism for individuals to exercise choice in the collection, use or third-party sharing of personal information in those circumstances where consent by the individual can be inferred from the provision of the individual’s information.

Collection of Publicly-Available Information: Personal information controllers do not need to provide a mechanism for individuals to exercise choice in relation to the collection and use of publicly available information.

Technological Impracticability: Personal Information controllers do not need to provide a mechanism for individuals to exercise choice in relation to those cases where electronic technology automatically collects information when a prospective customer initiates contact [e.g. use of cookies]. However, a mechanism to exercise choice as to use and disclosure should be provided after collection of the information.

Third-Party Receipt: Where personal information is received from a third party, the recipient personal information controller does not need to provide a mechanism for individuals to exercise choice in relation to the collection of the information. However, if the personal information controller engages a third party to collect personal information on its behalf, the personal information controller should instruct the collector to provide such choice when collecting the personal information.

Disclosure to a government institution which has made a request for the information with lawful authority: Personal Information controllers do not need to provide a mechanism for individuals to exercise choice in relation to disclosure to law enforcement agencies for investigation purposes where the provision of such mechanism to the individual will likely prejudice the investigation.

Disclosure to a third party pursuant to a lawful form of process: Personal information controllers do not need to provide a mechanism for individuals to exercise choice in relation to the disclosure to a third party when such disclosure was requested pursuant to a lawful form of process such as a discovery request made in the course of civil litigation.

For legitimate investigation purposes: When providing a mechanism for individuals to exercise choice would compromise the availability or accuracy of the personal information and its collection, use and disclosure are reasonable for purposes relating to an internal or external investigation of a violation of a code of conduct, breach of contract or a contravention of domestic law.

Action in the event of an emergency: Personal Information controllers do not need to provide a mechanism for individuals to exercise choice in emergency situations that threaten the life, health or security of an individual.

1. Personal information must be accurate, complete and kept up-to date to the extent necessary for the purposes of use.
2. Provide individuals the ability to challenge the accuracy of their personal information and to have it rectified, completed, amended and/or deleted and ensure procedures are in place to complete the request including communication and confirmation of the request to processors, agent, or other service providers to whom the personal information was transferred. Access and correction mechanisms must be presented in a clear and conspicuous manner. The request should be completed within a reasonable time frame following the request and a confirmation should be provided that the request has been completed.
3. If correction is denied, an explanation should be provided, together with contact information for further inquiries about the denial of access or correction
4. Require processors, agents, or other service providers acting on your behalf to inform you when they become aware of information that is inaccurate, incomplete, or out-of-date and ensure procedures are in place to complete the correction.

1. Maintain a written information security policy.
2. Implement physical, technical and administrative safeguards to protect personal information against risks such as loss or unauthorized access, destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment.
3. Communicate to employees their obligations and the importance of maintaining the security of personal information.
4. Require information processors, agents, contractors, or other service providers to whom personal information is transferred to protect against leakage, loss or unauthorized access, destruction, use, modification or disclosure or other misuses of the information. Such requirement should include:
   1. Implementing an information security program that is proportionate to the sensitivity of the information and services provided
   2. Notifying you promptly when they become aware of an occurrence of breach of the privacy or security of the personal information
   3. Taking immediate steps to correct/address the security failure which caused the privacy or security breach
5. Maintain a policy for secure disposal of personal information.
6. Implement procedures to detect, prevent, and respond to attacks, intrusions, or other security failures.
7. Perform tests on a periodic basis on the effectiveness of the implemented physical, technical and administrative safeguards.
8. Perform risk assessments or third-party validations on a periodic basis that include the implemented physical, technical and administrative safeguards and review the results of the assessment or third-party validation for remediation.

1. Provide individuals the ability to obtain confirmation of whether or not personal information is held about the requesting individual.

2. If requested, provide individuals access to their personal information. Prior to providing access, confirm the identity of the individual requesting access. Provide access within a reasonable time frame following the request and communicate the information in a reasonable manner that is generally understandable, in a legible format and compatible with the regular form of interaction with the individual.

3. If a fee is charged for providing access, the fees should not be excessive.

4. If the individual is denied access, an explanation must be provided as to why access was denied and provide the appropriate contact information for challenging the denial of access where appropriate.

*Although organizations should always make good faith efforts to provide access, there are some situations, described below, in which it may be necessary for organizations to deny access requests. Justification for any of the following will be required.

Disproportionate Burden: Personal information controllers do not need to provide access and correction where the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual's privacy in the case in question, as for example when claims for access are repetitious or vexatious by nature.

Protection of Confidential Information: Personal information controllers do not need to provide access and correction where the information cannot be disclosed due to legal or security reasons or to protect confidential commercial information (i.e. information that you have taken steps to protect from disclosure, where such disclosure would facilitate a competitor in the market to use or exploit the information against your business interest causing significant financial loss). Where confidential commercial information can be readily separated from other information subject to an access request, the personal information controller should redact the confidential commercial information and make available the non-confidential commercial information to the extent that such information constitutes personal information of the individual concerned. Other situations would include those where disclosure of information would benefit a competitor in the market place, such as a particular computer or modeling program. Furthermore, a denial of access may also be considered acceptable in situations where, for example providing the information would constitute a violation of laws or would compromise security.

Third Party Risk: Personal information controllers do not need to provide access and correction where the information privacy of persons other than the individual would be violated. In those instances where a third party’s personal information can be severed from the information requested for access or correction, the personal information controller must release the information after redaction of the third party’s personal information.

1. Implement measures to ensure compliance the Global CBPR Privacy Principles.
2. Appoint an individual(s) to be responsible for overall compliance with the Privacy Principles.
3. Implement procedures to receive, investigate, and respond to privacy-related complaints as well as an explanation of any remedial action where applicable. The procedures should include:
   1. A description of how individuals may submit complaints,
   2. A designated employee(s) to handle complaints related to the Applicant’s compliance with the Global CBPR Framework and/or requests from individuals for access to personal information, and
   3. A formal complaint-resolution process.
4. Procedures should ensure individuals receive a timely response to their complaints.
5. Complete formal training with employees that are responsible for carrying out the privacy-related complaints as well as responding to judicial or other government subpoenas, warrants or orders.
6. Implement procedures for responding to judicial or other government subpoenas, warrants or orders, including those that require the disclosure of personal information.