Privacy Audit Checklist

Prepared by Keith P. Enright, Esq.

Chief Privacy Officer

Lucira Technologies, Inc.

326 A Street, Suite 1A

Boston, MA 02210

617.423.4111

keith@lucira.com

 

The following checklist is intended to provide general guidance for organizations interested in assessing their information handling practices.  Specifically, this document will help you assess your current level of privacy-related exposure, from both a legal and a public relations perspective.  This document is set up in a checklist and outline format.  Though the checklist can be used as a working document in conducting a specific assessment, I recommend that it be used as a guideline from which you draft your own assessment checklist, ensuring that you address any unique areas of concern or idiosyncratic data handling practices affecting your organization. This document does not go into detail regarding specific statutory or regulatory compliance requirements.

 

This document outlines a process, rather than a one-time solution, and it is important to keep the following caveats in mind:

  1. Context is extremely relevant when assessing privacy exposure.  Certain industries, (i.e., medical service providers, financial service providers, and providers of services to children) must account for special statutory and regulatory compliance requirements.  This document attempts to highlight the existence of these requirements, whenever applicable, but does not provide an adequate compliance strategy. 
  2. This assessment should be conducted periodically, to ensure that you have a current, accurate understanding of your organization’s data flows, information handling practices, and privacy positioning.
  3. Satisfactory completion of this analysis requires considerable access to the practices and procedures of various functional areas of any organization.  Ensure that such access has been secured, and that adequate resources will be available for a thorough, detailed assessment.  AN INCOMPLETE OR IMPROPERLY CONDUCTED ASSESSMENT CREATES, RATHER THAN LIMITS EXPOSURE, AS IT CAN CREATE A FALSE SENSE OF SECURITY AND MAY LEAD TO THE PROMULGATION OF POLICIES WHICH ARE NOT CONSISTENT WITH ACTUAL PRACTICES.
  4. Finally, the results of this assessment must not be ignored.  Closure of the initial assessment does NOT bring closure to the issue of privacy-related exposure.

 

 

 

 

 

 

 

 

 

Additional Preliminary Questions

Responses to many of the following questions will be further articulated through the auditing and assessment process.  The following high-level questions provide a broad overview of the relevant issues.

 

 

 

What information is collected without a user’s explicit knowledge and/or consent?

 

 

  • What, if any, communications will occur between the website and the user?
  • What method(s) of communication will be used?

q       E-mail

q       Postal mail

q       Telephone call

q       Fax

q       Other (specify)

  • How frequently will the communication take place?
  • Under what circumstances will such communications take place?

 

 

Information Sharing

 

 

 

Choice: Opt-in or Opt-out

 

q       Via E-mail

q       “reply” to unsubscribe

q       Via telephone

q       Via postal mail

q       Other

q       N/A

q       Site/Organization does not offer “Opt out”

 

Security

 

Data Integrity Assurance Mechanisms

 

 

How are users able to access and correct any inaccuracies in the information submitted?

q       Online

q       Via email

q       Via telephone

q       Via postal mail

q       Other

q       N/A

 

 

Privacy Policy formation

 

 

 

o        Tier 1 – Very simple, broad overview of organization’s privacy position and general disclosure of whether information will be disclosed to third parties, etc.  This policy should address the concerns of the typical consumer visiting the site, and should be clear, concise, and accessible.

o        Tier 2 – More precise detail, detailing what information is collected by server logs, specifying cookie uses, pointing to privacy policies of partners, affiliates, and other relevant third parties.  Clarity and brevity are still important here, but more detail should be provided to address the concerns of sophisticated and concerned visitors.

o        Tier 3 – (Especially useful where specific statutory compliance is required.)  Specifically address each statutory requirement, and explain how your organization deals with each in turn.  Provide sufficient information to clearly assess the rights and responsibilities existing between customers and your organization with respect to privacy and information handling. 

o       Specific policies (at each respective tier) can be drafted to cover discrete products and services, as necessary.

 

 

Assessing Collection Practices

 

 

CONTACT INFORMATION

q       Name

q       E-mail address

q       Mailing Address

q       Phone Number

q       Facsimile Number

q       Other (Specify)______________________________________

 

FINANCIAL/BILLING INFORMATION

q       Name of banking institution

q       Credit Card number

q       Salary/Income

q       Account Number

q       Routing number

q       Account balance

q       Other (Specify)______________________________________

 

UNIQUE IDENTIFIERS

q       Social Security Identifier

q       Driver’s License Number

q       Proprietary global unique identifier (GUID)

q        

q       Other (Specify)______________________________________

 

 

DEMOGRAPHIC INFORMATION

q       Age

q       Gender

q       Ethnicity

q       Marital Status

q       Other (Specify)______________________________________

 

MEDICAL INFORMATION

q       Medical History

q       Health Status/Present Conditions

q       Health Insurance Provider

q       Other (Specify)______________________________________

 

EMPLOYMENT INFORMATION

q       Employment Status

q       Employer

q       Title

q       Business Contact info.

q       (Specify)______________________________________

 

EDUCATION INFORMATION

q       School(s) attended

q       Degrees conferred

q       Dates of attendance

q       Transcript/Grade information

q       Other (Specify)______________________________________

 

LEGAL INFORMATION

q       Criminal Record

q       Other (Specify)______________________________________

 

FAMILIAL INFORMATION

q       Number of Children

q       Number of Siblings

q       Information regarding spouse/partner

q       Mother’s maiden name

q       Information regarding parents

q       Years at current address

q       (Specify)______________________________________

 

OTHER INFORMATION

q       Hobbies

q       Interests

q       Dialogue/Interaction (chat rooms, e-mail, bulletin board postings, etc.)

q       Other (Specify)______________________________________

 

 

By what means is this information being collected?

q       Registration Forms

q       Order Forms

q       News Groups

q       Feedback Forms

q       Contact Us

q       Forums

q       Surveys

q       Electronic mail

q       Request Forms

q       Chat Rooms

q       Bulletin Boards

q       Other (Specify)______________________________________