|Here’s a questionnaire you can use
to help an entity conduct an initial risk assessment
of its information-handling activities.
What personal information about
customers and employees does the organization
collect and retain?
What personal data are used in
carrying out business, for example, in sales,
marketing, fund raising and customer relations?
What personal information is
obtained from or disclosed to affiliates or third
parties, for example, in payroll outsourcing?
What is the impact of U.S. privacy
laws and regulations and/or international privacy
requirements on the company? (This may require a
How does the organization’s business
plan address the privacy of personal information?
Implementing a privacy program
To what degree is the company’s
senior management actively involved in the
development, implementation and/or promotion of
privacy measures within the organization?
Has the entity assigned someone (for
example, a chief privacy officer) the
responsibility for compliance with privacy
Has the designated privacy officer
been given clear authority to oversee the
company’s information-handling practices?
Are adequate resources available at
the company for developing, implementing and
maintaining a privacy compliance system?
| What privacy policies has the
organization established with respect to the
collection, use, disclosure and retention of
personal information? |
How are the policies and procedures
for managing personal information communicated to
How are employees with access to
personal information trained in privacy
Are the appropriate forms and
documents required by the system fully developed?
Managing privacy risk
What specific objectives have been
established in order to comply with the
organization’s established privacy policies?
What are the consequences of not
meeting the specific privacy objectives?
To what extent have appropriate
control measures been identified and implemented?
How is the effectiveness of the
privacy control measures monitored and reported?
What mechanisms are in place to
effectively address failures to properly apply the
company’s established privacy policies and
The results of the risk
assessment will dictate whether and to what extent
an entity should implement a privacy program or
supplement a current one.