New NAID AAA and PRISM Privacy+ Certification Apps Reflect 2021 Changes

November 6, 2020

Updated NAID AAA Certification and PRISM Privacy+ Certification applications are now available on the NAID and PRISM International websites.

Included are the applications to apply for or renew NAID AAA and PRISM Privacy+ Certifications, the i-SIGMA Certification Specifications Manual which includes all certification requirements and audit procedures, and an Addendum used to apply for or renew the Australian PSPF Endorsement.

While NAID AAA and PRISM Privacy+ Certified service providers will receive a more detailed official written orientation on November 16, for purposes of this initial notification, there are essentially four modifications, all of which apply to policies and procedures.

• Breach Notification Timeframe: Service Providers will modify their policies and procedures to state that the client (data controller) will be notified immediately after the service provider establishes that a data security breach has occurred. This change was made to comply with changes in data breach notification regulations.
• Data Subject Response Policy: Service providers will be required to acknowledge they will respond in a reasonable manner to data subjects (clients of their clients) making a request for information about how their confidential materials are processed and/or the nature of any personal information the service provider may have on the data subject making the request. This too is a result of regulatory requirements. While it is not anticipated many such requests will be made, the one thing regulators will not allow, is that such requests are ignored. Advice on safe approaches to policy language will be provided to NAID AAA and PRISM Privacy+ Certified service providers.
• Photographic/Electronic Equipment Use Policy Requirement: Certified service providers will be required to have a written policy related to employees use of personal and company photographic and electronic equipment. Again, samples of such policy language will be provided.
• Vehicle Security: Certified service providers will be required to demonstrate a procedure for establishing the location of service vehicles in route. While GPS tracking is a technological solution (on trucks or handhelds), advice to certified members will include acceptable administrative procedures.

Effective Date/Enforcement: The effective date for the changes is January 1, 2021, at which point i-SIGMA Auditors will identify non-compliance. Between January and March, non-compliance with these requirements may be remedied after the fact.

i-SIGMA’s commitment to certified service providers and the clients who rely on those certifications is that specifications will reflect reasonable security and consistent regulatory compliance. In fulfilment of that commitment, the specifications are subject to modification as needed.

Published: November 10, 2020