Skip to contentCYBERINFO
|

Control 5.34 : Privacy and Protection of PII

Summary

The organization should identify and meet the requirements regarding the preservation of privacy and protection of personally identifiable information (PII) according to applicable laws and regulations.

Applicability

In-Scope: Mandatory for all organizations handling employee or client data. It is the primary control for meeting requirements like Law 25 (Quebec) or GDPR.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Data Discovery: Use Microsoft Purview Content Search to identify where PII (e.g., social insurance numbers, health data) is stored across the tenant.

  • Privacy Management: Utilize Microsoft Priva to automate privacy risk management and handle Subject Rights Requests (SRRs).

  • Protection: Implement Data Loss Prevention (DLP) policies to block the unauthorized sharing of PII outside the organization.

Evidence Checklist

  • Privacy Policy: A public-facing and internal policy detailing how the organization collects, uses, and protects PII.

  • Privacy Impact Assessment (PIA): Documented reviews of the privacy risks associated with new projects or systems (required under Law 25).

  • Training Records: Evidence that staff have completed privacy and data protection awareness training.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How do you ensure that PII is only collected for specific, legitimate business purposes?

  • What is the organization's process for responding to a subject access request where an individual asks to see or delete their data?

  • How do you verify that third-party vendors who process PII on your behalf are meeting your privacy standards?

  • Can you demonstrate how your Microsoft 365 configuration restricts access to PII to only those staff with a clear need-to-know?