This self-assessment test allows companies to evaluate their practices around personally identifiable information (PII) and receive a score that can be shared publicly. It contains 90 questions regarding how companies collect, use, secure, and allow individuals to access their PII.
2. 9. Did you receive consumer permission for a
blanket or first use and possession, and now are
utilizing data for second use purposes other than
the stated reason given the consumer in order to
collect the information?
10. Does the consumer doesn't know how you're
utilizing their PII?
11. Did you collected or collect data through or by
the monitoring of consumers and harvest their PII
without their consent or knowledge?
12. Did you buy the PII from a vendor or data
broker?
13. Did you harvest or gather the PII directly from
the personal or corporate communications of the
targets (Meta data searches of e-mails or corporate
monitored e-mails of employees.)
14. How great do you believe the expectation of
privacy to be of the individual or individuals that
you monitor in order to capture the PII?
15. What sort of safeguarding have you deployed to
ensure you have given adequate warning about
your monitoring, and received the necessary
permission to monitor your subjects?
16. Are your subjects required to accept or agree to
being monitored in order to utilize your system,
website, software, goods, or services?
17. You harvest the data collected from third party
blogs, social media websites, and other posted
media accounts or websites.
18. You own the copyright or a license to utilize the
media or data which you have collected in order for
you to republish, re-broadcast, reprint, or re
communicate the original copyrighted material
produced and created by your targets, subjects, or
customers?
19. Is the information searchable by a personal
identifier?
20. You have a system that identifies and tracks
consumer information?
3. 21. You have not made anonymous second use
data, by removing any and all information that can
be said to be PII or relate back to an individual,
their place of residence or employment?
22. Data storage and sales is your primary business
purposes or generates at least 50% of your net
revenues?
23. Explain how long you retain the information?
24. What reason the information is retained?
25. Are there any forms or surveys that are
associated with the collection of the information
that would be covered by the Paperwork Reduction
Act (PRA)?
26. Do you hire outside experts to audit your
systems and organization for PII compliance?
27. Do you have internal auditing to ensure best
practices on Personally Identifiable Information or
Specific device identifiable information?
28. Will individuals be given notice prior to the
collection of personal information about them?
29. Are there any privacy risks for this system that
relate to openness and transparency? If so, how
will you mitigate these risks?
30. Do you state the reasons why you collect any
and all PII which you are collecting?
31. Are those reasons for collection and the sorts of
data you do collect made obvious and apparent by
being in the first section or paragraph of any
disclosures, and stated in plain regular language
that is easy to understand. (Ex: We collect you
name and address. We use it to market to you, by
sending you our catalogs. We sell your information
to third parties, whom may use it for purposes
unknown to us. )
32. Whose information is included in the system?
33. What PII will the system include?
34. Why is the collection and use of the PII
necessary to the project or system?
4. 35. Will the system aggregate previously
unavailable data about the individual or create new
data about the individual? If so, how will this data
be maintained and used?
36. What controls exist to protect the consolidated
data and prevent unauthorized access?
37. Will the system monitor the public?
38. Who will monitor the system?
39. Do you have a set policy of access and control
procedures for sensitive data, or “need to know
only” ratings and designations for your personnel?
40. Will the system monitor employees or
contractors?
41. What kinds of reports can be produced on
individuals from the data you harvest?
42. Will the data included in the reports produced
be made anonymous?
43. Are there any privacy risks for this system that
relate to data minimization? If so, how will you
mitigate these risks?
44. Is the information in the project limited to only
the information that is needed to carry out the
purpose of the collection?
45. Will you share any of the information with
other individuals, Federal and/or state agencies, or
private sector organizations? If so, how will you
share the information?
46. Is the information collected directly from the
individual or is it taken from another source?
47. Will the project interact with other systems,
whether within your organization or outside of
your organization? If so, how?
48. Are there any privacy risks for this project that
relate to use limitation? If so, how will the mitigate
these risks?
49. Do you have permission to share the PII or
specific device identifiable information?
5. 50. Do you give assurances of any type stating that
you shall not share the PII?
51. Did you give any assurances about the way you
shall use the PII?
52. Do you honor those assurances if you give
them? If so how do you ensure those assurances are
carried out?
53. The PII you collect was collected by stating its
use? Do you use the PII in any other ways not
known by the individuals it identifies?
54. What steps do you take to ensure that all PII is
accurate, relevant, timely, and complete?
55. How will the information collected be verified
for accuracy and completeness?
56. Are there any privacy risks for individuals
whose information is collected or used by the
project that relate to data quality and integrity? If
so, how will you mitigate these risks?
57. What are the possible consequences or possible
harms could come to an individual whose PII you
collect in an inaccurate, incomplete, or untimely
manner?
58. Do you have a plan in place to mitigate and
minimize those consequences or harms in a timely
and responsible manner?
59. Does that plan include public relations media
damage control?
60. Who else or what other organizations could be
harmed in the data you collect and provide is
incomplete, inaccurate, or untimely?
61. Which individuals or companies depend of the
PII you collect and provide? How do they use that
PII in their operations?
62. On a scale of 1 to 10, 10 being life or death and
1 being a possible customer may fail to hear about
your upcoming Saturday sale, how important is
accuracy, completeness, timeliness, and relevancy
of the PII you collect.
6. 63. Have you completed a system security plan for
the information system(s) supporting the project?
Who has the Authority to Operate (“ATO”) the
system?
64. How is that authority decided?
65. Do you have different levels of access?
66. Which employees shall be authorized
personnel, including employees and contractors
acting on behalf of the organization?
67. Which personnel official duties require access?
68. Do you have a Standard operating procedure
for terminating or reducing access for individuals
who no longer have a need to know all or certain
information?
69. Do you have an operating policy.
70. What security controls and safeguards exist to
protect information contained in the system against
unauthorized disclosure and access?
71. Do you have policies and procedures for:
Conducting background checks on all personnel
with access to the system?
Initial and follow-on privacy and security
awareness training for each individual with access
to the system?
Physical perimeter security safeguards?
Security Operations Center to monitor antivirus
and intrusion detection software?
Risk and controls assessments and mitigation?
Technical access controls, such as role-based access
management and firewalls?
Disaster mitigation strategies, breach notification
processes and plans, and secure channels for
submitting transaction information are in place for
the system?
72. Are there mechanisms in place to identify
security breaches? If so, what are they?
7. 73. Are there any privacy risks for this system that
relate to security? If so, how will you mitigate these
risks?
74. Do you give individuals, in most cases, the
ability to access their PII, and allow them to
correct or amend their PII if it is inaccurate?
75. What opportunities are available for
individuals to consent to uses, decline to provide
information, or opt out of the project?
76. If no opportunities are available to consent,
decline or opt out, please explain why?
77. What procedures will allow individuals to
access their information?
78. Can individuals amend information about
themselves in the system?
79. Are there any privacy risks for this system that
relate to individual participation?
80. Who will train all personnel about the proper
treatment of PII?
81. Describe what privacy training is provided to
users, either generally or specifically relevant to the
project?
82. Are there any privacy risks for this system that
relate to awareness and training? If so, how will
you mitigate these risks?
83. Have you hired coaches or lecturers to train
employees?
84. Mandatory reading for employees?
85. Consultants to teach employees?
86. Testing for employees?
87. Do you have company wide certification?
88. Who developed that certification? How up to
date is it?
89. How does the system ensure that the
information is used in accordance with the stated
practices in this assessment?
90. Do you have internal auditing?
8. 91. How often do you review your policies for
weaknesses or outdated systems?
92. Do you run vulnerability attacks on your
system? If so how often?
93. Do you hire outside experts to audit your
systems and organization for PII compliance?