Employees, contractors or third party users breach privacy because they are not aware or trained on information privacy requirements.
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].
Employees and other agency personnel received periodic privacy training.
No statewide control
Obtain privacy awareness and training policy and procedures; other relevant documents or records and ascertain if:
(I) the organization develops and documents privacy awareness and training policy and procedures;
(ii)the organization disseminates privacy awareness and training policy and procedures to appropriate elements within the organization;
(iii)responsible parties within the organization periodically review privacy awareness and training policy and procedures;
(iv)the organization updates privacy awareness and training policy and procedures when organizational review indicates updates are required;
(viii) the organization conducts a basic privacy training and a targeted, role-based privacy training at least on an annual basis for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII; and
(ix) the organization ensures that personnel provide their acceptance of responsibilities for privacy requirements either manually or electronically.
