Skip to main content

PRI-16: Potential Human Rights Abuses

PRI 10 — Critical Protect

Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.

Control Question: Does the organization constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations?

General (2)
Framework Mapping Values
Shared Assessments SIG 2025 O.12
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PRI-16
APAC (3)
Framework Mapping Values
APAC China Cybersecurity Law 24
APAC China Data Security Law 7 8 9 11 14 15 16 18 19 20 28 31 32 33 36 37 38 48 53
APAC China Privacy Law 11 12 18 26 38(4) 40 47(5)

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to constrain the supply of physical and/ or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/ or contractual obligations.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to constrain the supply of physical and/ or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/ or contractual obligations.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to constrain the supply of physical and/ or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/ or contractual obligations.

Level 3 — Well Defined

Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
  • A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
  • As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
  • A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
  • Data/process owners operationalize data privacy controls into the processes they control.
  • Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
  • Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
  • CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to constrain the supply of physical and/ or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/ or contractual obligations.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to constrain the supply of physical and/ or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/ or contractual obligations.

Assessment Objectives

  1. PRI-16_A01 executive leadership, along with legal counsel, formally identifies risks associated with non-compliance (e.g., fines, operational impacts, etc.).
  2. PRI-16_A02 executive leadership, along with legal counsel, formally identifies primary risks associated with compliance (e.g., loss of confidentiality and/or integrity considerations with data governance).
  3. PRI-16_A03 executive leadership, along with legal counsel, formally identifies secondary risks associated with compliance (e.g., non-compliance with other laws, regulations and contractual agreements).
  4. PRI-16_A04 executive leadership, along with legal counsel, formally identifies tertiary risks associated with compliance (e.g., human rights abuses, theft of intellectual property, espionage, etc.).

Technology Recommendations

Micro/Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Medium

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Large

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management
  • Board of Directors (Bod) Ethics Committee

Enterprise

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management
  • Board of Directors (Bod) Ethics Committee

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free