All But One of the New Certification Specs Address Pre-Existing Practices

December 16, 2020

As all NAID AAA and PRISM Privacy+ Certified service providers have been informed, there are four new certification specifications going into effect on 1 January 2021.

While that might cause some concern, three of the four only ask service providers to document practices that are likely already in place.

1. Have policy on the use of photographic equipment

I assume no i-SIGMA member permits employees to take unauthorized photographs of client media or operations. This certification requirement simply specified that policy be formally included in the organization policies so it is clear to employees and clients.

2. Identify a system for knowing where service vehicles travel

I have never encountered a secure destruction service where one of these options was not already in place

  • Issue a route schedule to each driver (electronic or hard copy) on which the driver tracks their route through the course of a day.
  • Executed receipts (electronically or hard copy) at the point of service documenting date and time.
  • Have drivers document in route (electronically or hard copy) the time they arrive and leave every stop.
  • Require the driver to keep some sort of official log of their travels and hours.
  • Have GPS equipment or other telemetry capture the location of the vehicle during a route.

The new requirement simply asks the service provider to describe the method for tracking the location of a service vehicle that they use. In the unlikely event none of the above options is being used, please contact i-SIGMA headquarters to discuss possible options.

3. Change client breach notification from 60-days from verification of a breach to “immediately” upon verification a breach has happened

The policy was already required. The timeframe simply changes (due to regulatory requirements).

4. Implement a Data Subject Response policy

This is the only specification that is probably not currently addressed in a service providers policies and procedures. The reason for it is that Data Subjects increasingly have the right to approach Data Processors requesting information. While i-SIGMA may not be in a position to validate the individual is a Data Subject of a Data Controller for which they provide service, and even in the event they could establish it, would not be capable of providing information to the Data Subject, if such a request is made, it cannot legally be ignored. The policy simply states that fact, which means the service provider must have a policy regarding what they will do if such a request is made. The particulars of this response, including possible responses, are included in the certification advisory sent to NAID AAA and PRISM Privacy+ Certified service providers earlier in the month.

Those with continuing questions about this can email [email protected].

Published 16 December 2020