This questionnaire highlights key questions businesses should ask with the aim of understanding privacy risk, implementing sound privacy policies and practices, managing privacy risk, and obtaining privacy assurance.
- What personal information about customers and employees does the organization collect and retain?
- What personal information does the organization need and use in carrying out business, for example, in sales, marketing, fund raising, and customer relations activities?
- What personal information is obtained from or disclosed to affiliates or third parties, for example, in payroll outsourcing?
- What is the impact of United States privacy laws and regulations, and/or international privacy requirements, on the organization (which may require a legal interpretation)?
- How does the organization’s business plan address the privacy of personal information?
- To what degree is senior management actively involved in the development, implementation, and/or promotion of privacy measures within the organization?
- Has the organization assigned someone (for example, a chief privacy officer) the responsibility for compliance with privacy legislation?
- Has the designated privacy officer been given clear authority to oversee the organization’s information handling practices?
- Are adequate resources available for developing, implementing, and maintaining a privacy compliance system?
- What privacy policies has the organization established with respect to the collection, use, disclosure, and retention of personal information?
- How are the policies and procedures for managing personal information communicated to employees?
- How are employees with access to personal information trained in privacy protection?
- Are the appropriate forms and documents required by the system fully developed?
- To comply with the organization’s established privacy policies, what specific objectives have been established?
- What are the consequences of not meeting the specific privacy objectives?
- To what extent have appropriate control measures been identified and implemented?
- How is the effectiveness of the privacy control measures monitored and reported?
- What mechanisms are in place to effectively address failures to properly apply the organization’s established privacy policies and procedures?
- How would the organization benefit from a comprehensive assessment of the risks, controls, and business disclosures associated with personal information privacy?
- Has the organization considered the value-added services available from an independent assurance practitioner with respect to both offline and online privacy?