Which of the following items should be addressed in an organization's privacy statement?
I. Intended use of collected information.
II. Data storage and security.
III. Network/infrastructure authentication controls.
IV. Data retention policy of the organization.
Parties authorized to access information.
An organization's privacy statement should address the following items: the intended use of collected information, data storage and security, and parties authorized to access information. These aspects are crucial for informing users about how their data will be handled and protected. Data retention policies, while important, are usually detailed in separate policy documents rather than in the privacy statement itself. Network/infrastructure authentication controls are generally part of internal security measures and not typically included in a public privacy statement.
Why isn't IV included ??
maybe because the retention policy is imposed by external legislation
Option 4 is a separate document (a policy, not a statement).
Can someone explain to me the rationale for C? I think D should be the right one. Anyone has a good explanation?
What I have concluded is that these aspects can be analyzed during an audit engagement, but not in an organization's privacy statement.
Security vs Privacy Audits
error on the numbering of options
Parties authorized to access information. - Refers to item V