Information Usage and Access (IUA)
- Create a visibility about how the personal information is handled across the business processes, functions and operations of the organization
- Compile the information against each set of data such as, for what purpose the data is collected; is the data collected in line with the purpose; does the data collector have more information than the particular business transaction requires
- Understand how the organisation uses each set of data elements. Record each transaction that uses the data, validate that against the intended purpose. Record the discrepancies, if any, in terms of the data usage
- Create a map of the users and their roles that have access to the data against each set of data elements. Validate the access against the access requirements to execute the intended data transaction
- Establish a process that mandates project groups, business processes, functions and operations to report to the central privacy function about their exposure to personal data, any change in data usage and processing
- Create a set of rules for limiting the collection of data.
- Create a set of rules for limiting the usage of data.
- Create a set of rules for limiting and governing access to data.
- Create an inventory of all the elements that act as a means or channel for sharing of information.
- Ensure that a mechanism exists for provisioning, de-provisioning and authorization of access to the information or systems which are exposed to the data
- Ensure that a mechanism exists that monitors the collection, usage and access instances against a set of rules
- Ensure that the discrepancies in collection, usage and access are timely identified, and managed
DSCI Privacy Framework