Criterion: Privacy
Requirements for protecting personal information and privacy
Full Description
D6. Privacy
Code 8.0
Participants shall commit to protecting the reasonable privacy expectations of personal information of everyone they do business with, including suppliers, customers, consumers, and employees. Participants shall comply with privacy and information security laws and regulatory requirements when personal information is collected, stored, processed, transmitted, and shared.
Elements to Demonstrate Compliance to RBA Code
1. Policy
Ensure facility ethics and/or privacy policy includes the following elements:
- a. Preventing unauthorized disclosure of personal information
2. Procedures & Practices
Procedures & Practices are in place such that:
- a. No personal information is viewable to someone who is unauthorized.
- b. Information is only collected, stored, processed, transmitted, or shared with the individual approval (or defaulted by local law).
3. Serious conditions that will result in a severe finding
- Personal information is collected, stored, processed, transmitted, or shared without the individual's approval.
Profiles using this criterion
RBA Assessment Program
- VAP Full Assessment | 8.0.0
- VAP Full Assessment | 7.1.2
Conformity Alignment
Priority
Pass: No
Definition: "Critical non-conformance requiring immediate action"
Remediation: 30 days
Major
Pass: No
Definition: "Significant non-conformance requiring corrective action"
Remediation: 90 days
Minor
Pass: Yes
Definition: "Non-conformance with limited impact"
Conditions: Corrective action plan required
Remediation: 180 days
Opportunity
Pass: Yes
Definition: "Opportunity for improvement identified"
Conformance
Pass: Yes
Definition: "Full conformance with criterion requirements"
Related Criterion
VAP: Intellectual Property
Relationship: Related
Protection of confidential information
VAP: Protection of Identity and Non-Retaliation
Relationship: Related
Protection of personal identity
VAP: Ethics Management System
Relationship: Parent
Management system for ethics practices
Change Log
2.0.0 (2022-06-01)
Changed
- Added mandatory consent requirement and a new severe-finding consent trigger: 7.0.0 (provision D8) had Priority = Not Applicable and rated only on policy/procedure completeness. 7.1.2 (D6) adds a new mandatory Record-Review requirement (information is only collected, stored, processed, transmitted, or shared with the individual approval, or defaulted by local law) AND a new severe-finding (Priority) trigger (personal information collected, stored, processed, transmitted, or shared without the individual's approval). A facility that passed 7.0.0 on documented policy alone (Priority N/A) now fails at Priority if it collects or shares personal information without individual approval. A prior pass can become a fail, hence major.
Removed
- Severe-finding trigger narrowed from 'risk or evidence' to 'evidence': The D6.1 trigger was narrowed from 'No identified risk or evidence of unauthorized disclosure' (7.0.0) to 'No evidence of unauthorized disclosure' (7.1.2). A loosening — it only removes ways to fail and does not drive the severity; the new consent condition above makes the boundary major.
1.0.0 (2021-01-01)
Changed
- Initial historical baseline — Privacy (RBA Code of Conduct 7.0, provision D8): Earliest imported version of the criterion (numbered D8 in VAP 7.0.0). Participants to protect the reasonable privacy expectations of personal information of everyone they do business with and to comply with privacy and information security laws when personal information is collected, stored, processed, transmitted, and shared. Rated purely on documentary policy/procedure completeness: adequate policy and procedures including safeguards to prevent unauthorized disclosure and monitoring procedures. Priority = Not Applicable; Major = no detailed and understandable policy and procedures implemented; Minor = partial policy or procedures or implementation. No individual-consent requirement.