Issuer Gateway Knowledge Hub

null

S.3.1.3 Data Privacy Policy

 

Last Updated October 2024
null

Definition

 

This indicator is designed to assess the alignment of a company's data privacy policy with the eight principles outlined in the 1980 OECD Guidelines on the Protection of Privacy or equivalent Fair Information Practices (FIPs) models, such as the Generally Accepted Privacy Principles (GAPP). 

Companies are expected to address two broad factors: 

  1. Respecting the data subject's right to privacy in the way data is collected, used, disclosed and retained.
  2. Ensuring safeguards are in line with prevailing best practices for securing Personal Information.  




 

null

What is a Policy Indicator? 

 

Policy indicators measure the strength and quality of an issuer’s policy commitment to addressing a material ESG issue. One often-used policy indicator is Environmental Policy. It is part of the Management Indicator sets for several MEIs, in particular: Carbon – Own Operations, Emissions, Effluents and Waste, and Resource Use.


 


    Assessment Criteria

    • The policy includes a clear description of the type of data being collected by the company.

       Informs users about the type of data collected.

       

    • The policy includes a clear description of how data is being used and for what purpose.

       

    • The policy includes a clear description of how data is being disclosed by the company and for what purpose.

       A clear description of how data will be shared within the company (i.e. with other affiliates and subsidiaries), with service providers, and for other purposes.

       

    • The policy addresses the company's data retention practices.

       Data retention practices examples include a brief statement about how long the company keeps data – such as - "as long as necessary to provide you with the contracted services", or "as long as required by law".

       

    • The policy includes a commitment to provide data subjects with access to, correction and/ or erasure of their data.

       Contact information for this purpose must be provided.

       

    • The policy includes clear and accessible mechanisms for data subjects to raise concerns about data privacy.

       The mechanism is often referred to as "inquiries and complaints".  Contact information for this purpose must be provided.

       

    • The policy contains a commitment to implement appropriate security safeguards.

       Relevant standards and safeguards include, but are not limited to, encryption, Secure Socket Layer, Transport Layer Security (SSL/TLS) differential privacy, and industry specific standards such as the Payment Card Industry Data Security Standard (PCI DSS).

       

    • The policy contains a commitment to require service providers to protect data at a level consistent with the company's privacy policy.

       

    • The policy has clear provisions around updates

       A commitment to notify users or data subjects whenever the company completes a data privacy policy update.

       

    • The policy applies to a majority of the company's operations.

    Scoring

    100

    The company has a very strong policy.

    75

    The company has a strong policy.

    50

    The company has an adequate policy. 

    25

    The company has a weak policy.

    0

    The company does not have a policy.

     

    Related Content

    Indicator Library