This self-assessment test allows data collection

agencies to get their Personally Identifiable

Information and Specific Device Identifiable

Information Consumer Fairness Best Practices

Score. Which can then be shared with the public.

©2015 Joel Drotts on behalf of

The Association for Consumer Effectiveness

http://www.oneacedata.com

TRUE FALSE

2. . Is the information is absolutely mandatory to

the functioning of services of operations of the

business or services (Ex: A bank must know the

customers bank account number.)?

Is the data collected for the following purposes (3-6):

3. Keep profile in database so customer order or

payment information is more accessible and need

not be re-entered?

4. To aid and assist in the company own internal

operations and functioning: To study and track

your own customer buying trends, to seek

improved sales and more desirable products.)?

5. To aid in larger research projects of your

industry and profession (Doctors comparing cases

and statistics for scientific purposes).

6. To sell that information as a retail item (The

Geo-location of a consumers phone in relation to

nearby stores and restaurants, in order to bring or

offer the consumer more relevant adds.)?

7. What legal authority and/or agreements allow

the information to be collected?

8. You have not lawfully and ethically obtaining a

knowing and willing consent to possess and use the

consumer information for the purposes for which

you are using that data in writing or other evidence

medium?

9. Did you receive consumer permission for a

blanket or first use and possession, and now are

utilizing data for second use purposes other than

the stated reason given the consumer in order to

collect the information?

10. Does the consumer doesn't know how you're

utilizing their PII?

11. Did you collected or collect data through or by

the monitoring of consumers and harvest their PII

without their consent or knowledge?

12. Did you buy the PII from a vendor or data

broker?

13. Did you harvest or gather the PII directly from

the personal or corporate communications of the

targets (Meta data searches of e-mails or corporate

monitored e-mails of employees.)

14. How great do you believe the expectation of

privacy to be of the individual or individuals that

you monitor in order to capture the PII?

15. What sort of safeguarding have you deployed to

ensure you have given adequate warning about

your monitoring, and received the necessary

permission to monitor your subjects?

16. Are your subjects required to accept or agree to

being monitored in order to utilize your system,

website, software, goods, or services?

17. You harvest the data collected from third party

blogs, social media websites, and other posted

media accounts or websites.

18. You own the copyright or a license to utilize the

media or data which you have collected in order for

you to republish, re-broadcast, reprint, or re

communicate the original copyrighted material

produced and created by your targets, subjects, or

customers?

19. Is the information searchable by a personal

identifier?

20. You have a system that identifies and tracks

consumer information?

21. You have not made anonymous second use

data, by removing any and all information that can

be said to be PII or relate back to an individual,

their place of residence or employment?

22. Data storage and sales is your primary business

purposes or generates at least 50% of your net

revenues?

23. Explain how long you retain the information?

24. What reason the information is retained?

25. Are there any forms or surveys that are

associated with the collection of the information

that would be covered by the Paperwork Reduction

Act (PRA)?

26. Do you hire outside experts to audit your

systems and organization for PII compliance?

27. Do you have internal auditing to ensure best

practices on Personally Identifiable Information or

Specific device identifiable information?

28. Will individuals be given notice prior to the

collection of personal information about them?

29. Are there any privacy risks for this system that

relate to openness and transparency? If so, how

will you mitigate these risks?

30. Do you state the reasons why you collect any

and all PII which you are collecting?

31. Are those reasons for collection and the sorts of

data you do collect made obvious and apparent by

being in the first section or paragraph of any

disclosures, and stated in plain regular language

that is easy to understand. (Ex: We collect you

name and address. We use it to market to you, by

sending you our catalogs. We sell your information

to third parties, whom may use it for purposes

unknown to us. )

32. Whose information is included in the system?

33. What PII will the system include?

34. Why is the collection and use of the PII

necessary to the project or system?

35. Will the system aggregate previously

unavailable data about the individual or create new

data about the individual? If so, how will this data

be maintained and used?

36. What controls exist to protect the consolidated

data and prevent unauthorized access?

37. Will the system monitor the public?

38. Who will monitor the system?

39. Do you have a set policy of access and control

procedures for sensitive data, or “need to know

only” ratings and designations for your personnel?

40. Will the system monitor employees or

contractors?

41. What kinds of reports can be produced on

individuals from the data you harvest?

42. Will the data included in the reports produced

be made anonymous?

43. Are there any privacy risks for this system that

relate to data minimization? If so, how will you

mitigate these risks?

44. Is the information in the project limited to only

the information that is needed to carry out the

purpose of the collection?

45. Will you share any of the information with

other individuals, Federal and/or state agencies, or

private sector organizations? If so, how will you

share the information?

46. Is the information collected directly from the

individual or is it taken from another source?

47. Will the project interact with other systems,

whether within your organization or outside of

your organization? If so, how?

48. Are there any privacy risks for this project that

relate to use limitation? If so, how will the mitigate

these risks?

49. Do you have permission to share the PII or

specific device identifiable information?

50. Do you give assurances of any type stating that

you shall not share the PII?

51. Did you give any assurances about the way you

shall use the PII?

52. Do you honor those assurances if you give

them? If so how do you ensure those assurances are

carried out?

53. The PII you collect was collected by stating its

use? Do you use the PII in any other ways not

known by the individuals it identifies?

54. What steps do you take to ensure that all PII is

accurate, relevant, timely, and complete?

55. How will the information collected be verified

for accuracy and completeness?

56. Are there any privacy risks for individuals

whose information is collected or used by the

project that relate to data quality and integrity? If

so, how will you mitigate these risks?

57. What are the possible consequences or possible

harms could come to an individual whose PII you

collect in an inaccurate, incomplete, or untimely

manner?

58. Do you have a plan in place to mitigate and

minimize those consequences or harms in a timely

and responsible manner?

59. Does that plan include public relations media

damage control?

60. Who else or what other organizations could be

harmed in the data you collect and provide is

incomplete, inaccurate, or untimely?

61. Which individuals or companies depend of the

PII you collect and provide? How do they use that

PII in their operations?

62. On a scale of 1 to 10, 10 being life or death and

1 being a possible customer may fail to hear about

your upcoming Saturday sale, how important is

accuracy, completeness, timeliness, and relevancy

of the PII you collect.

63. Have you completed a system security plan for

the information system(s) supporting the project?

Who has the Authority to Operate (“ATO”) the

system?

64. How is that authority decided?

65. Do you have different levels of access?

66. Which employees shall be authorized

personnel, including employees and contractors

acting on behalf of the organization?

67. Which personnel official duties require access?

68. Do you have a Standard operating procedure

for terminating or reducing access for individuals

who no longer have a need to know all or certain

information?

69. Do you have an operating policy.

70. What security controls and safeguards exist to

protect information contained in the system against

unauthorized disclosure and access?

71. Do you have policies and procedures for:

Conducting background checks on all personnel

with access to the system?

Initial and follow-on privacy and security

awareness training for each individual with access

to the system?

Physical perimeter security safeguards?

Security Operations Center to monitor antivirus

and intrusion detection software?

Risk and controls assessments and mitigation?

Technical access controls, such as role-based access

management and firewalls?

Disaster mitigation strategies, breach notification

processes and plans, and secure channels for

submitting transaction information are in place for

the system?

72. Are there mechanisms in place to identify

security breaches? If so, what are they?

73. Are there any privacy risks for this system that

relate to security? If so, how will you mitigate these

risks?

74. Do you give individuals, in most cases, the

ability to access their PII, and allow them to

correct or amend their PII if it is inaccurate?

75. What opportunities are available for

individuals to consent to uses, decline to provide

information, or opt out of the project?

76. If no opportunities are available to consent,

decline or opt out, please explain why?

77. What procedures will allow individuals to

access their information?

78. Can individuals amend information about

themselves in the system?

79. Are there any privacy risks for this system that

relate to individual participation?

80. Who will train all personnel about the proper

treatment of PII?

81. Describe what privacy training is provided to

users, either generally or specifically relevant to the

project?

82. Are there any privacy risks for this system that

relate to awareness and training? If so, how will

you mitigate these risks?

83. Have you hired coaches or lecturers to train

employees?

84. Mandatory reading for employees?

85. Consultants to teach employees?

86. Testing for employees?

87. Do you have company wide certification?

88. Who developed that certification? How up to

date is it?

89. How does the system ensure that the

information is used in accordance with the stated

practices in this assessment?

90. Do you have internal auditing?

91. How often do you review your policies for

weaknesses or outdated systems?

92. Do you run vulnerability attacks on your

system? If so how often?

93. Do you hire outside experts to audit your

systems and organization for PII compliance?