PRI-07: Information Sharing With Third Parties

PRI 9 — Critical Identify

Mechanisms exist to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.

Control Question: Does the organization disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject?

General (23)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	P6.1 P6.1-POF1
CSA CCM 4	DSP-13
Generally Accepted Privacy Principles (GAPP)	7.2.1 7.2.2 7.2.3
GovRAMP Moderate	AC-21
GovRAMP High	AC-21
ISO 27002 2022	5.33
ISO 27017 2015	18.1.4
ISO 27018 2014	A.5.1
ISO 29100 2024	6.10
MITRE ATT&CK 10	T1213, T1213.001, T1213.002
NIST Privacy Framework 1.0	CT.PO-P2
NIST 800-53 R4	UL-2
NIST 800-53 R5 (source)	AC-21
NIST 800-53B R5 (moderate) (source)	AC-21
NIST 800-53B R5 (high) (source)	AC-21
NIST 800-82 R3 MODERATE OT Overlay	AC-21
NIST 800-82 R3 HIGH OT Overlay	AC-21
NIST 800-161 R1	AC-21
NIST 800-161 R1 Level 1	AC-21
NIST 800-161 R1 Level 2	AC-21
SWIFT CSF 2023	2.5A 2.11A
TISAX ISA 6	9.5.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	PRI-07

US (11)

Framework	Mapping Values
US CERT RMM 1.2	COMP:SG1.SP3 COMP:SG3.SP1 EXD:SG3.SP1 OTA:SG3.SP2
US CJIS Security Policy 5.9.3 (source)	5.1.1.2 5.1.1.3 5.1.1.4 5.1.1.5 5.1.1.6 5.1.1.7 5.1.1.8 5.1.4 AC-21
US CMS MARS-E 2.0	UL-2
US FERPA (source)	1232g
US HHS 45 CFR 155.260	155.260(e)
US HIPAA Administrative Simplification 2013 (source)	164.506(c)(1) 164.506(c)(2) 164.506(c)(3) 164.506(c)(4) 164.508(a)(1) 164.508(a)(4)(i)
US IRS 1075	1.9.4 AC-21
US SSA EIESR 8.0	5.1
US - AK PIPA	45.48.420 45.48.430
US - CO Colorado Privacy Act	6-1-1305(7) 6-1-1305(8)(a) 6-1-1305(8)(b) 6-1-1307(2) 6-1-1307(3)
US - OR CPA	6(1)(a) 6(1)(c)

EMEA (7)

Framework	Mapping Values
EMEA Austria	Sec 10
EMEA Israel CDMO 1.0	10.5
EMEA Kenya DPA 2019	25(h) 42(2)(a) 42(2)(b) 42(3)
EMEA Nigeria DPR 2019	2.4(b)
EMEA Saudi Arabia PDPL	8
EMEA Serbia 87/2018	5
EMEA South Africa	18 28 30 31

APAC (9)

Framework	Mapping Values
APAC Australian Privacy Principles	APP 7 APP 8
APAC China Privacy Law	20 21 22 27 38(3) 41 42 49
APAC India DPDPA 2023	8(2)
APAC Japan APPI	23(1)(i) 23(1)(ii) 23(1)(iii) 23(1)(iv) 23(2) 23(2)(i) 23(2)(ii) 23(2)(iii) 23(2)(iv) 23(2)(v) 23(2)(vi) 23(2)(vii) 23(2)(viii) 23(3) 23(4) 23(5)(i) 23(5)(ii) 23(5)(iii) 23(6) 23(1) 26(1) 26(1)(i) 26(1)(ii) 26(2) 26(3) 26(4) 26-2(1) 26-2(1)(i) 26-2(1)(ii) 26-2(2) 26-2(3)
APAC Japan ISMAP	18.1.4
APAC Malaysia	9
APAC New Zealand NZISM 3.6	20.1.6.C.01 20.1.6.C.02 20.1.7.C.01 20.1.7.C.02 20.1.8.C.01 20.1.9.C.01 20.1.10.C.01 20.1.10.C.02 20.1.11.C.01 20.1.12.C.01 20.1.13.C.01 20.2.3.C.01 20.2.4.C.01 20.2.5.C.01 20.2.6.C.01 20.2.6.C.02 20.2.6.C.03 20.2.7.C.01 20.2.8.C.01 20.2.9.C.01 20.2.9.C.02 20.2.9.C.03 20.2.9.C.04 20.2.10.C.01 20.2.10.C.02 20.2.11.C.01 20.2.11.C.02 20.2.11.C.03
APAC Singapore	26
APAC South Korea	17 26 27

Americas (4)

Framework	Mapping Values
Americas Argentina Reg 132-2018	11.1 11.2 11.3 11.4 12.1 16.4
Americas Canada PIPEDA	Sec 20 Sec 23
Americas Colombia	26
Americas Uruguay	17 23

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.

Level 3 — Well Defined

Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
Data/process owners operationalize data privacy controls into the processes they control.
Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.

Level 4 — Quantitatively Controlled

Privacy (PRI) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.

Assessment Objectives

PRI-07_A01 information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined.
PRI-07_A02 authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for information-sharing circumstances.
PRI-07_A03 automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined.
PRI-07_A04 automated mechanisms are employed to assist users in making information-sharing and collaboration decisions.

Evidence Requirements

E-PRI-05 Data Sharing Agreement: Documented evidence of formal data sharing practices that address, at a minimum: • The business justification for the data sharing; • The type / category of data being shared; • The third-parties the data is being shared with; • Lawful bases for data sharing; and • Data subject rights.
Privacy
E-TPM-01 Third-Party Contracts: Documented evidence of third-party contractual obligations for cybersecurity & data privacy protections.
Third-Party Management

Technology Recommendations

Micro/Small

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management

Small

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management

Medium

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management

Large

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management

Enterprise

Data classification program
Data privacy program
Data Protection Impact Assessment (DPIA)
Product / project management