Support Centre

Training Requirements

This Comparison details global training requirements, as well as detail regarding OneTrust DataGuidance's Awareness Training module. Equip your staff with the necessary knowledge to ensure consistent safe practices and meet regulatory requirements for training. OneTrust Awareness Training offers the solution with an ever-expanding library of content specifically designed to train your staff in privacy awareness essentials and facilitate a privacy-first culture in your organisation. Speak with our team to find out more.

Requirements

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.
Compare Reset
    title
  • Mandatory
  • Recommended
    Requirements
  • Who should be trained?
  • Responsibility allocated
  • Content
  • Frequency
  • Record-keeping
    title
  • Australia
    • There are no generally applicable data protection education or training requirements.

    • The Office of the Australian Information Commissioner ('OAIC') has released several pieces of non-binding guidance that recommend staff training for both general data protection and for specific privacy related practices. In particular, the Guide to securing personal information ('the Guide') emphasises personnel privacy security training. It is also noted that while the Guide is non-binding, its recommendationsare taken into account by the OAIC when it is making formal assessments.

    • The Guide highlights that an entity's entire staff, including senior management, should be involved in security training.

    • The guidance released by the OAIC allocates responsibility for training with the 'entity.'

    • The Guide outlines general topics and specific questions that should be addressed in personnel privacy training. This includes, among other things: security clearance and vetting; training on physical and ICT security, new starter training; project design; resources and a privacy culture; passwords; obligation reminders; staff leaving; internal reporting; phishing; telephone conversations; printing; offsite working; mobile working and working from home.

    • No further information.

    • In general terms, the Privacy Act No. 119 1988 (as amended) ('the Privacy Act') provides that employee records, post-collection, are exempt from its provisions. 'Training' is included within the definition of an 'employee record' (Section 6.1 of the Privacy Act). The Guide does not specifically refer to record-keeping in the context of staff training.

  • Australian PCEHR
    • Sections 42, 47, and 59 of The My Health Records Rule 2016 ('the Rule') require healthcare provider organisations, contract service providers, and operators, respectively, to create written policies including training for employees.

    • The Austalian Digital Health Agency ('ADHA') has created various pieces of guidance on the My Health Record system, such as the My Health Record Checklists and the Security practices and policies checklist (collectively 'the Checklists').

    • The Rule provides that employees of healthcare provider organisations, contract service providers, and operators must be trained. The Checklists specify that staff requiring access to the My Health Records system require training.

    • Although set out in separate articles, the Rule provides that healthcare provider organisations, contract service providers, and operators must create policies which include training. Some operators are exempt depending on their size.

    • Sections 42, 47, and 59 of the Rule set out that training should include 'how to use the My Health Record system accurately and responsibly, the legal obligations on [as applicable healthcare provider organisations, contract service providers, operators] and individuals using the My Health Record system and the consequences of breaching those obligations.'

    • The Rule requires that training is provided prior to access to the My Health Record system. The Rule also notes that policies must be kept up to date. The Checklists suggest that training should be provided on a regular and ongoing basis.

    • The Checklists recommend that a register of staff who have attended training is maintained.

  • Brazil
    • Article 41(2)(III) of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') provides that a data protection officer should orient an entity's employees and contractors regarding practices to be taken in relation to personal data protection.

    • No further information.

    • Article 41(2)(III) of the LGPD states that an organisation's employees as well as its contractors should be trained.

    • Article 41(2) of the LGPD states that it is the data protection officer's task to train employees and contractors.

    • No further information.

    • No further information.

    • Whilst the LGPD does not expressly provide for record-keeping requirements in relation to training, accountability is one of the principles under the LGPD and provides that organisations must be able to demonstrate the adoption of measures that are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures.

  • British Columbia E-Health Act
    • No further information.

    • The Doctors of British Columbia ('BC'), the College of Physicians and Surgeons of BC and the Office of the Information and Privacy Commissioner for BC ('OIPC') prepared the BC physician privacy toolkit ('the Toolkit'), which recommends that a privacy program is implemented with mandatory privacy training and education for physicians and staff.

    • The Toolkit recommends privacy training for physicians and staff.

    • The Toolkit suggests the designation of a privacy officer, which may for instance be a physician, who would be allocated responsibility for the privacy management program, including staff training.

    • The Toolkit recommends training on a range of privacy related matters, and particularly emphasises training on electronic medical records, secure confidentiality, and the destruction of records.

    • The Toolkit does not directly address frequency of training, but it does suggest that privacy policies should be regularly updated.

    • Although the Toolkit does not directly address keeping records of training, it does suggest that a record of training may be requested from a service provider employed to destroy confidential information.

  • CAN-SPAM
    • Whilst the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM') dos not expressly address training requirements, Section 7 on enforcement highlights that, in assessing the amount of damages that can be issued, the court may consider whether the defendant has established and implemented, with due care, commercially reasonable practices and procedures designed to effectively prevent such violations; or the violation occurred despite commercially reasonable efforts to maintain compliance with the practices and procedures.

    • The Federal Trade Commission ('FTC') has issued a compliance guide for business which provides a breakdown of the main requirements under CAN-SPAM. The guide also notes that, when engaging a vendor, both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

  • Canada Federal
    • Schedule 1, Principle 1 of the Personal Information Protection and Electronic Documents Act, SC 2000 c 5 ('PIPEDA') provides that organisations must implement policies and practices to give effect to the principles, including training staff and communicating to staff information about the organisation's policies and practices, and developing information to explain the organisation's policies and procedures.

    • No further information.

    • Schedule 1, Principle 1 of PIPEDA provides that 'staff' should be trained.

      In addition, the Office of the Privacy Commissioner of Canada ('OPC') highlights in Getting Accountability Right with a Privacy Management Program ('the PMP Guidance') that training and education for all service provider employees with access to personal information should be provided.

    • The Privacy Officer is accountable for the organisation's compliance with the principles outlined in PIPEDA (Schedule 1, Principle 4.1 of PIPEDA). 

    • Whilst PIPEDA does not expressly provide for the content of training, the OPC highlights in the PMP Guidance that, for privacy training and education to be effective, it must: be mandatory for all new employees before they access personal information and periodically thereafter; cover the policies and procedures established by the organisation; be delivered in the most appropriate and effective manner, based on organisational needs; and circulate essential information to relevant employees as soon as practical if an urgent need arises.

    • Whilst PIPIDE does not expressly provide for frequency, the OPC states in the PMP Guidance that 'training and education need to be recurrent, and the content of the program needs to be periodically revisited and updated to reflect changes.'

    • Whilst PIPEDA does not expressly provide for record-keeping requirements in relation to training, the accountability principle under PIPEDA requires that organisations be able to demonstrate compliance.

  • CASL
    • Whilst Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL') does not expressly address training requirements, the Canadian Radio-television and Telecommunications Commission's ('CRTC') Compliance and Enforcement Information Bulletin CRTC 2014-326 and CRTC 2018-415 highlight that effective training of staff at all levels is required and that organisations should take steps to maintain a high standard of awareness and take decisive, prompt, and continuing action to prevent CASL violations from occurring, or to stop them once identified.

    • No further information.

    • Bulletin CRTC 2014-326 highlights that staff at all levels should be trained.

    • Bulletin CRTC 2014-326 highlights that the chief compliance officer or point person should consider developing and implementing a training program.

    • When assessing what to include in the training program, Bulletin CRTC 2014-326 notes that consideration be given the following: requirements and related liabilities (to provide an understanding of what is required in the legislation and the penalties for not meeting those requirements); policies and procedures associated with the business; and background information on law.

    • Bulletin CRTC 2014-326 highlights that refresher training be provided regarding the corporate compliance policy for current and new employees, including managers. 

    • Bulletin CRTC 2014-326 highlights that employees could provide written acknowledgment that they understand the corporate compliance policy, and these written acknowledgments should be recorded and maintained. The business could also monitor employee comprehension of the corporate compliance policy, and the training program could be adapted and re-administered accordingly. 

  • CCPA
    • Section 1798.30(a)(6) of the California Consumer Privacy Act of 2018 ('CCPA') provides that businesses must ensure that all individuals responsible for handling consumer inquiries about the business' privacy practices or the business' compliance with this title are informed of all requirements in Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.

      Section 1798.135(a)(3) provides that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.

      Section 999.317(a) of the Attorney General's Proposed CCPA Regulations ('Proposed Regulations'), all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with the CCPA shall be informed of all the requirements in the CCPA and the Proposed Regulations and how to direct consumers to exercise their rights under the CCPA and the Proposed Regulations.

      Section 999.330(a)(2) of the Proposed Regulations requires 'trained personnel' for handling requests regarding minor's personal information. Methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian include, but are not limited to: having a parent or guardian call a toll-free telephone number staffed by trained personnel; having a parent or guardian connect to trained personnel via video-conference; and having a parent or guardian communicate in person with trained personnel.

      Section 999.317(g) of the Proposed Regulations requires a business that alone or in combination, annually buys, sells or shares, for commercial purposes, the personal information of 10 million or more consumers to establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in the Proposed Regulations for CCPA enforcement and the CCPA.

    • No further information.

    • Section 1798.30(a)(6) of the CCPA states that all individuals responsible for handling consumer inquiries about the business' privacy practices or the business' compliance.

    • 'Businesses' are obliged to ensure that training requirements under the CCPA and the Proposed Regulations are met.

    • The CCPA requires training to cover:

      • Section 1798.100 - Consumer's right to know, right to portable data;​
      • Section 1798.105 - Consumer's right to delete​;
      • Section 1798.110 - Disclosure obligations of businesses that collect personal information;​
      • Section 1798.115 - Disclosure obligations of businesses that sells or discloses personal information​;
      • Section 1798.125 - Businesses shall not discriminate against a consumer that exercises their rights, although they may create a financial incentive program meeting certain requirements;​
      • Section 1798.130 - Sets forth the disclosures and other requirements for the right to know and right to delete​;
      • Section 1798. 120 - Consumer's right to opt out of sale of personal information; and
      • Section 1798. 135 - Sets forth the business obligations for the right to opt out​.

       
      Businesses should train their staff to understand these sections sufficiently, so that they can tell a consumer how to exercise their rights.

    • No further information.

    • Whilst the CCPA does not expressly provide for record-keeping requirements in relation to training, Section 999.317 of the Proposed Regulations require businesses to maintain records of consumer requests made pursuant to the CCPA and how the business responded to said requests for at least 24 months. The business shall implement and maintain reasonable security procedures and practices in maintaining these records.

  • Connecticut
    • There are training requirements provided for in specific laws, including General Statutes of Connecticut. Chapter 705. Connecticut Insurance Information and Privacy Protection Act ('the Insurance Act').

    • The Act Concerning Student Data Privacy (HB 5469) (June 2016) ('the Student Privacy Act') established a task force which produced a report that analysed, among other things, data privacy training in the education sector ('the Student Privacy Report').

    • Sec. 38a-999b of the Insurance Act requires relevant companies to create a security program that includes 'employee education and training on the proper use of the company's security systems and the importance of the security of personal information'. The Insurance Act also provides particular requirements for training employees handling medical record information under Sec. 38a-999.

      The Student Privacy Report focuses on training of school employees, contractors, and operators.

    • Sec. 38a-999 allocates responsibility with 'An insurance institution, agent or insurance support organization that regularly collects, uses or discloses medical record information'. Sec. 38a-999b allocates responsibility with the 'company', which is defined as: 'a health insurer, health care center or other entity licensed to do health insurance business in this state, pharmacy benefits manager, as defined in section 38a-479aaa, third-party administrator, as defined in section 38a-720, that administers health benefits, and utilization review company, as defined in section 38a-591a.'

      The Student Privacy Report considers different levels of responsibility within the education sector.

    • Sec. 38a-999 of the Insurance Act only refers to 'appropriate training', while Sec. 38a-999b refers to 'training on the proper use of the company's security systems and the importance of the security of personal information'.
      The Student Privacy Report discusses training on several general personal information privacy matters.

    • Sec. 38a-999 of the Insurance Act requires 'Periodic monitoring of the employees' compliance with the policies, standards and procedures in a manner sufficient for the insurance institution, agent or insurance support organization to determine compliance with this section and to enforce its policies, standards and procedures'. Sec. 38a-999b only refers to 'ongoing training'.

      The Student Privacy Report does not specify a recommended training frequency.

    • Although the Insurance Act sets out obligations for general personal information record maintenance, it does not speicfy requirements for training records.

  • COPPA
    • Section 312.5 of Children's Online Privacy Protection Rule 1999 notes that a method for obtaining parental consent is to have the parent call a toll-free telephone number staffed by trained personnel, or have a parent connect to trained personnel via video-conference.

    • The Federal Trade Commission ('FTC') required annual COPPA compliance training for relevant employmees in a settlement it made with two well-known online services companies.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

  • Delaware
    • Delaware Code, Title 18, Chapter 86, Insurance Data Security Act ('the Insurance Data Secuirty Act') sets out provisions for employee training.

    • No further information.

    • Under §8604 of the Insurance Data Security Act, a licensee is required to provide training to its personnel.

    • §8604 of the Insurance Data Security Act provides that a licensee must establish an information security program, which includes personnel training. A 'licensee' is defined in §8603 of the Insurance Data Security Act as 'a person who is licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of this State. "Licensee" does not mean either of the following:
      a. A purchasing group or risk retention group that is chartered and licensed in a state other than this State.
      b. A licensee that is acting as an assuming insurer that is domiciled in a state other than this State or another jurisdiction.'

    • §8604 of the Insurance Data Security Act stipulates that licensee's must provide their personnel with 'cybersecurity awareness training'.

    • §8604 of the Insurance Data Security Act outlines that the cybersecurity awareness training should be 'updated as necessary to reflect risks that the licensee identified in the licensee’s risk assessment under this section.'

    • No further information.

  • FACTA
    • The Identity Theft Red Flags Rule and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003, 16 CFR Part 681 ('the Red Flags Rule') provides requirements for the establishment of an Identity Theft Program ('the Program'), which includes onbligations for staff training.

    • The Federal Trade Commission ('FTC') has issued a general guide on the Red Flags Rule ('the Guide').

    • The Red Flags Rule refers to 'staff training, as necessary, to effectively implement the Program.' The Guide notes, 'that employees at many levels of your organization can play a key role in identity theft deterrence and detection.'

    • The Red Flags Rule provides that 'each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Program', and that such institution or creditor should 'involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program'.

    • The Red Flags Rule only specifies that the training should be 'as necessary' to implement the Program. The Guide outlines, 'Staff who have taken fraud prevention training may not need to be re-trained.'

    • The Red Flags Rule does not directly address the frequency of training, although it does require that the Program is updated 'periodically'. In addition, the Guide notes, 'The person responsible for your program should report at least annually to your Board of Directors or a designated senior manager. The report should evaluate how effective your program has been in addressing the risk of identity theft; how you’re monitoring the practices of your service providers; significant incidents of identity theft and your response; and recommendations for major changes to the program.'

    • No further information.

  • FCRA
    • §610.(c) of the Fair Credit Reporting Act ('FCRA') specifies: 'Any consumer reporting agency shall provide trained personnel to explain to the consumer any information furnished to him pursuant to section 609 [§ 1681g] of this title.' Appendix E of the Fair Credit Reporting (Regulation V) ('the FCR') further clarifies training requirements for furnishers of information to consumer reporting agencies.

    • The Consumer Financial Protection Bureau has released Fair Credit Reporting Act (FCRA) Examination Procedures ('the Examination Procedures'), which refer to training requirements under the FCRA.

    • Under §610.(c) of the FCRA, personnel who disclose information to consumers must be trained. In addition, Appendix E of the FCR requires that furnishers of information to consumer reporting agencies develop policies and procedures, including 'Training staff that participates in activities related to the furnishing of information about consumers to consumer reporting agencies to implement the policies and procedures.'

    • The FCRA requirements allocate responsibility to consumer reporting agencies. The FCR requirements allocate responsibility to furnishers of information to consumer reporting agencies.

    • The Examination Procedures note that during an initial examination, there will be a 'Review the financial institutions training materials to determine whether
      a. Appropriate training is provided to individuals responsible for FCRA compliance and operational procedures, and
      b. The training is comprehensive and covers the various aspects of the FCRA that apply to the individual financial institution's operations.'

    • No further information.

    • No further information.

  • France
    • Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here) (an unofficial English version of the Act is available here) ('the Act') stipulates that data prortection officers ('DPOs') must be appointed according to the requirements of Chapter IV of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which includes obligations for staff training.

    • The French data protection authority ('CNIL') has issued various pieces of guidance that refer in general terms to employee training, including guidance on organising internal processes (only available in French here).

    • Chapter IV of the GDPR, as referred to by the Act, provides that staff involved in processing operations should be trained.

    • The Act in referring to the GDPR allocates responsibility with DPOs.

    • No further information.

    • No further information.

    • Whilst the GDPR does not expressly provide for record-keeping requirements in relation to training, accountability is one of the principles under the GDPR which provides that organisations must be able to demonstrate compliance.

  • GDPR
    • Article 39(1)(b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') states that a data protection officer should monitor an organisation's compliance with the GDPR, which includes raising awareness and training staff.

      Regarding Binding Corporate Rules ('BCR') specifically, Article 47(2)(n) of the GDPR states that an organisation's BCR should provide for appropriate data protection training to personnel having permanent or regular access to personal data. 

    • No further information.

    • Article 39(1)(b) of the GDPR states that 'staff' should be trained.

    • Article 39(1)(b) of the GDPR states that it is the data protection officer's task to raise awareness and train staff.

    • Whilst the GDPR does not expressly provide for the content of the training, authorities such as the UK Information Commissioner's Office states in Guidance on the Right of Access that specific training may need to be given to staff that, for example, regularly interact with customers.

    • Whilst the GDPR does not expressly provide for frequency, authorities such as the UK Information Commissioner's Office states in its Security Guidance that 'appropriate initial and refresher training' be provided.

    • Whilst the GDPR does not expressly provide for record-keeping requirements in relation to training, accountability is one of the principles under the GDPR which provides that organisations must be able to demonstrate compliance.

  • Germany
    • Section 7 of the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) ('BDSG') outlines the tasks of a data protection officer including: 'awareness-raising and training of staff involved in processing operations.'

    • The Federal Commissioner for Data Protection and Freedom of Information ('BfDI'), as well as state data protection authorities have released guidance on several topics that relate to training, including a brochure on data protection officers (only available to download in German here) ('the DPO Brochure').

    • The BDSG refers to 'training of staff involved in processing operations'. In addition, the DPO Brochure discusses the need for DPOs in particular to be trained.

    • The BDSG allocates responsibility for training staff with the DPO.

    • The DPO Brochure considers different levels of training such as basic and advanced, and outlines that training content should be targeted to address the requirements of a given group.

    • The DPO Brochure generally suggests that training should be ongoing.

    • While the BDSG does not specifically refer to keeping records of training, it does stipulate that data controllers are required to be able to demonstrate compliance.

  • GINA
    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • §1602.14 of the Recordkeeping and Reporting Requirements Under Title VII, The ADA and GINA (29 CFR §1602 et seq.) ('the GINA Record Requirements'), sitpulates: 'Any personnel or employment record made or kept by an employer (including but not necessarily limited to requests for reasonable accommodation, application forms submitted by applicants and other records having to do with hiring, promotion, demotion, transfer, lay-off or termination, rates of pay or other terms of compensation, and selection for training or apprenticeship) shall be preserved by the employer for a period of one year from the date of the making of the record or the personnel action involved, whichever occurs later.' Please note that the GINA Record Requirements includes exceptions as well as additional requirements for specific sectors.

  • GLBA Safeguards Rule
    • The Standards for Safeguarding Customer Information ('the Safeguards Rule') implements Sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act of 1999 ('GLBA') and establishes employee training requirements.

    • The Interagency Guidelines Establishing Information Security Standards ('the Guidelines') further clarify training in relation to Section 501 of the GLBA.

    • §314.4 of the Safeguards Rule refers to 'employee training', and the Guidelines likewise refer in broad terms to training 'staff'.

    • §314.4 of the Safeguards Rule notes that an employee or employees should be designated to coordinate the information security program. The Guidelines suggest that the relevant institution 'should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program'.

    • The Safeguards Rule does not address this matter. The Guidelines provide the following examples that an insitution should consider: 'Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and Train staff to properly dispose of customer information.'

    • No further information.

    • No further information.

  • HIPAA - HITECH
    • §164.308 of Title 45 of the Code of Federal Regulations ('the HIPAA Security Rule') and §164.530 of Title 45 of the Code of Federal Regulations ('the HIPAA Privacy Rule') establish mandatory training requirements. These sections address administrative safeguards and administrative requirements respectively.

      Section 13401 of Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH') provides that, 'Sections 164.308, 164.310, 164.312, and 164.316 ofTtitle 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.' As such, the training requirements of the HIPAA Security Rule are applicable in relation to HITECH.

    • The U.S. Department of Health & Human Services' Office for Civil Rights ('OCR') created a Summary of the HIPAA Security Rule ('the HIPAA Security Summary') and a Summary of the HIPAA Privacy Rule ('the HIPAA Privacy Summary').

    • The HIPAA Security Rule requires that a security and awareness training program is implemented for all members of a covered entity's workforce (including management). 

      The HIPAA Privacy Rule stipulates, 'A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.' The HIPAA Privacy Summary clarifies that 'workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity)'.

    • Under both the HIPAA Security Rule and the HIPAA Privacy Rule, responsibility for training ultimately lies with the covered entity. The HIPAA Security Rule also provides that a 'security official' should be identified to implement policies and procedures, while the HIPAA Privacy Rule requires that a 'privacy official' is designated to be responsible for policies and procedures.

    • The HIPAA Security Rule stipulates: '(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
      (ii) Implementation specifications. Implement:
      (A) Security reminders (Addressable). Periodic security updates.
      (B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
      (C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
      (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.'

      The HIPAA Security Summary further notes, 'A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures'.

      The HIPAA Privacy Rule requires, 'A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.'

    • The HIPAA Security Rule does not directly address the frequency of training, although it does provide that there must be 'periodic security updates', and that there are 'periodic technical and nontechnical evaluations' of compliance with requirements.

      The HIPAA Privacy Rule provides: '(b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
      (2) Implementation specifications: Training. (i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
      (A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity;
      (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and
      (C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.'

    • Although the HIPAA Security Rule does not directly refer to keeping records of training, it does establish general requirements for maintaining security records.

      The HIPAA Privacy Rules provides: '(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.' Paragraph (j) of the HIPAA Privacy Rule further stipulates: '(j)(1) Standard: Documentation. A covered entity must:
      (i) Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form;
      (ii) If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and
      (iii) If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation.
      (iv) Maintain documentation sufficient to meet its burden of proof under §164.414(b).
      (2) Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.'

  • Hong Kong
    • There are no general manadatory  data protection education or training requirements.

    • Sections 12 and 13 of the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2013 ('the PDPO') provide that the Office of the Privacy Commissioner for Personal Data ('PCPD') may approve or issues codes of practice. While the PDPO specifies that such codes of practice do not in and of themselves render liability, they may be used in proceedings where a data user is alleged to have contravened the PDPO. The PCPD has issued several codes of practice, including the Code of Practice on Human Resource Management ('the HRM Code'), which recommends staff personal data protection training.

    • The HRM Code highlights the training of staff handling employment related personal data. However, the HRM Code also notes that 'Employees play the principal role in implementing an employer’s policies on the security of personal data' and emphasises that new recurits should be provided with personal data protection training (Section 1.4.1 of the HRM Code).

    • The HRM Code notes that employers should develop relevant policies and determine whether policies satisfy certain criteria, including: 'The employer commits to, and provides, on-going training to staff on matters relating to personal data protection.' (Section 1.4.1 of the HRM Code)

    • The HRM Code notes that employer's should have personal data privacy policies, and that training should ensure observance of these policies. In addition, the HRM Code specifies that, 'Employer’s policy manuals, training materials, and employee handbook are periodically reviewed to ensure that they are consistent with the requirements under the PDPO and any codes of practice in force.' (Section 1.4.1 of the HRM Code)

    • The HRM Code suggests that training should be ongoing, that training materials are periodically reviewed, and that communication on security matters should be regular and systematic. (Section 1.4.1 of the HRM Code)

    • The HRM Code clarifies that the PDPO requires that employees are informed of certain matters in relation to the collection of their personal data, and that personal data records related to the training of employees that is collected directly from the employees would fall under this requirement. The HRM Code further notes that such information can be issued to employees in the form of a written personal information collection statement that is provided when an employee accepts an offer of employment or during induction (Sections 3.1.3-3.1.4).

  • Massachusetts
    • Standards for the Protection of Personal Information of Residents of the Commonwealth §17.00 of Title 201 of the CMR ('the Safeguards Regulation') sets out general privacy related employee training requirements.

    • No further information.

    • §17.03 of the Safeguards Regulation requires that comprehensive information security programs be developed, as dependent on the person owning or licensing personal information, which includes limiting risks through measures such as 'ongoing employee (including temporary and contract employee) training'.

    • §17.03 of the Safeguards Regulation provides that 'Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.'

    • §17.03 of the Safeguards Regulation broadly requires: 'Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: 
      1. ongoing employee (including temporary and contract employee) training'

      §17.04 of the Safeguards Regultion more specifically requires: 'Education and training of employees on the proper use of the computer security system and the importance of personal information security.'

    • The frequency of training is not directly addressed, however §17.03 of the Safeguards Regulation requires: 'Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. (i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.'

    • No further information.

  • Nigeria
    • The Nigeria Data Protection Regulation 2019 ('NDPR') does not expressly address training requirements, however it provides for Data Protection Compliance Organisations ('DPCOs') to be licensed by the National Information Technology Development Agency ('NITDA') in order to monitor, audit, conduct training and data protection compliance consulting to all data controllers. Furthermore, the NDPR requires audit reports, which do not directly refer to training but do include policies and practices for security and proper use of personal information.

    • NITDA published, on 11 July 2019, a draft Data Protection Implementation Framework ('the Draft Framework') for the NDPR which details the roles of DPCOs as well as general training expectations in relation to audit reports and data protection officers ('DPOs') as required under the NDPR.

    • Annex A of the Draft Framework provides an audit report template for NDPR compliance. This template suggests assessing whether all staff are trained to recognise and deal with subject access requests, and whether all staff who deal with personal data are trained about their responsibilities and data protection procedures.

    • Data controllers are required to conduct audits, under Article 4.1(5) of the NDPR, and to appoint DPOs, under Article 4.1(2) of the NDPR. The audit report template within the Draft Framework suggests that a DPO would have the responsibility for 'awareness-raising and training of staff involved in processing operations'.

    • The audit report template within the Draft Framework suggests assessing that all staff are trained to recognise and deal with subject access requests, and that all staff who deal with personal data are trained about their responsibilities and data protection procedures.

    • The audit report template within the Draft Framework suggests assessing that the DPO has been trained within the past year. The NDPR provides that audit reports shall be produced annually by data controllers who process the personal data of more than 2000 data subjects in a period of 12 months.

    • While the NDPR does not expressly address record-keeping requirements in relation to training, the audit report template in the Draft Framework implies that some form of record may be expected for audit purposes.

  • Nova Scotia Personal Health Information Act
    • Article 67 of the Personal Health Information Act, SNS 2010, c. 41 (as amended by 2012 c. 31; 2014 c. 32, s. 151) ('PHIA') requires custodians to designate a 'contact person' who would be responsible for, among other things, staff training.

    • The Department of Health and Wellness has released Toolkit for Custodians: A Guide for the Personal Health Information Act ('the Toolkit').

    • PHIA refers to the training of custodian's staff. The Toolkit suggests that policies may include   training on the requirements under PHIA for all employees, volunteers and other agents.

    • PHIA allocates responsibility for training with the 'contact person', who may be one or more individuals designated by the custodian.

    • The Toolkit refers to training on requirements under PHIA, the custodian's policies and procesudres, and general privacy and confidentiality.

    • The Toolkit suggests that training should be regular in order to mitigate certain risks.

    • No further information.

  • Ontario Personal Health Information and Privacy Act
    • Article 15(3) of the Personal Health Information Protection Act, SO 2004 c 3, Sched. A ('PHIPA') describes the functions of a designated 'contact person', which includes ensuring 'that all agents of the custodian are appropriately informed of their duties under this Act.'

    • The Information and Privacy Commissioner of Ontario has released Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act ('the PIA Guidelines'), which discusses staff training. In particular, the PIA Guidelines notes in response to the question of whether staff receive training: 'If your organization does not have any form of privacy training in place, select "no." However, note that one of the responsibilities of your organization's privacy contact person is to ensure agents are appropriately informed of their duties under PHIPA. Your PIA should identify any privacy-related training that your organization's employees or agents undergo. [...] The information you provide on privacy training should note the length and frequency of training, which categories of employees or agents receive training, and how the organization documents the fact that an employee or agent has received privacy training.'

    • PHIPA provides that all agents of the custodian should be appropriately informed of their duties.

    • The responsibility for ensuring all agents are appropriately informed is allocated to the 'contact person'.

    • PHIPA requires that agents are informed of their duties as provided for under PHIPA.

    • No further information.

    • No further information.

  • Russian Federation
    • Article 18.1 of Federal Law of 27 July 2006 No. 152-FZ on Personal Data (only available in Russian here; an unofficial English version of the Law is available here) ('the Law on Personal Data') provides measures to ensure compliance, including: 'Familiarization of the employees of the controller who are directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation concerning personal data, including the requirements relating to the protection of personal data, documents defining the policies of the controller on the processing of personal data, local laws on the processing of personal data, and (or) provision of training to such employees.' (Article 18.1.1(6) of the Law on Personal Data)

    • No further information.

    • Article 18.1.1(6) of the Law on Personal Data states that 'employees of the controller who are directly involved in the processing of personal data' must be familiar with relevant laws, provisions, policies, and/or training.

    • Article 18.1 of the Law on Personal Data specifies that the data controller, also referred to as the 'operator', is responsible for measures such as ensuring the familiarisation of relevant employees. In addition, Article 22.1 of the Law on Personal Data sets out requirements for the controller to appoint an individual responsible for organising personal data ('data protection officer'). Article 22.1.4(2) provides that one of the responsibilities of the data protection officer is 'To make the employees of the controller aware of the provisions of the legislation of the Russian Federation on personal data, local laws on the processing of personal data, and requirements relating to the protection of personal data'

    • Article 18.1.1(6) of the Law on Personal Data provides that relevant employees are familiarised with 'the provisions of the legislation of the Russian Federation concerning personal data, including the requirements relating to the protection of personal data, documents defining the policies of the controller on the processing of personal data, local laws on the processing of personal data'.

    • No further information.

    • No further information.

  • Singapore
    • Although the Personal Data Protection Act (No. 26 of 2012) ('the PDPA') does not expressly address training requirements, it does require that organisations develop policies and practices in order to comply with the PDPA and to communicate these policies and practices to staff (Section 12 of the PDPA).

    • The Personal Data Protection Commission ('PDPC') has released several pieces of non-binding guidance that recommend training, including the Guide to Developing a Data Protection Management Programme (15 July 2019) ('the DPMP Guide') and the DPO Competency Framework and Training Roadmap ('the Roadmap').

    • The DPMP Guide details  levels of training that are recommended for different stakeholders, which range from all staff to board of directors. The Roadmap specifically addresses training requirements for DPOs.

    • In accordance with the DPMP Guide and the Roadmap, DPOs would be principally responsible for raising awareness and general data protection training. 

    • In general terms, the content of training recommended by the DPMP Guide and the Roadmap addresses standard personal data protection policies and practices. Both the DPMP Guide and the Roadmap, however, go into significant detail breaking down areas to focus on for different groups. For instance, the DPMP Guide suggests broad training on the PDPA for all staff and more in-depth, targeted training for staff handling personal data.

    • The DPMP Guide suggests that refresher courses for all staff are conducted 'periodically (e.g. annually)' as well as on an ad-hoc basis when there are revisions to the PDPA, guidelines, or policies and practices.

    • No further information.

  • TCPA
    • §64.1200 of the Telephone Consumer Protection Act Regulations 1992 (47 CFR Part 64) ('the TCPA Regulations') provides that: '(d) No person or entity shall initiate any call for telemarketing purposes to a residential telephone subscriber unless such person or entity has instituted procedures for maintaining a list of persons who request not to receive telemarketing calls made by or on behalf of that person or entity. The procedures instituted must meet the following minimum standards: [...] (2) Training of personnel engaged in telemarketing. Personnel engaged in any aspect of telemarketing must be informed and trained in the existence and use of the do-not-call list.'

    • No further information.

    • §64.1200(d) of the TCPA Regulations specifies that 'personnel engaged in any aspect of telemarketing' must be trained. In addition, §64.1200(c) notes that an organisation will not be liable for violating requirements of the do-not-call registry if it can demonstrate such violation was an error and that it meets certain standards as part of routine business practice, including that 'it has trained its personnel, and any entity assisting in its compliance, in procedures established pursuant to the national do-not-call rules.'

    • The training related provisions in the TCPA Regulations allocate responsibility to 'any person or entity' engaged in telemarketing or telephone solicitations.

    • The minimum standard set by §64.1200(d) of the TCPA Regulations specifes that relevant personnel 'must be informed and trained in the existence and use of the do-not-call list.'

    • §64.1200(c) of the TCPA Regulations refer to meeting standards, including training, as part of 'routine business practice' in order to be exempt from liability in certain circumstances.

    • No further information.

  • Thailand
    • Section 41 of the Personal Data Protection Act 2019 ('PDPA') provides that certain data controllers and processors should designate data protection officers ('DPOs'), and Section 42 of the PDPA stipulates that one of the responsibilities of a DPO is to give advice to data controllers and processors, and their employees and service providers, with respect to compliance with the PDPA.

    • No further information.

    • Section 42 of the PDPA provides that advice should be given to data controllers, data processors, employees, and service providers.

    • Section 42 of the PDPA requires that DPOs give advice on compliance.

    • No further information.

    • No further information.

    • No further information.

  • UK
    • Article 71 of the Data Protection Act 2018 sets out the tasks of a data protection officer ('DPO') including: 'training staff involved in processing operations.'

    • The Information Commissioner's Office ('the ICO') refers to staff training in relation to several topics, such as guidance on data protection officers or data security. Please note, current guidance from the ICO refers primarily to the GDPR, which will be in effect until the end of the UK's transition period out of the EU.

    • The Data Protection Act 2018 refers to 'training staff involved in processing operations.'

    • The Data Protection Act 2018 allocates responsibility for training staff with the DPO.

    • The ICO states in guidance on the right of access that specific training may need to be given to staff that, for example, regularly interact with customers.

    • The ICO states in its Security Guidance that 'appropriate initial and refresher training' be provided.

    • While the Data Protection Act 2018 does not specifically refer to keeping records of training, it does stipulate that data controllers are required to be able to demonstrate compliance.

  • UK Caldicott Guardians
    • No further information.

    • The role of a Caldicott Guardian, a senior person responsible for protecting the confidentiality of people's health and care information, was originally recommended in The Caldicott Committee: Report on the Review of Patient-Identifiable Information (1997) ('the Caldicott Report'). A second review in 2013, Information: To share or not to share? The Information Governance Review ('Caldicott 2'), expanded on recommendations for the management of personal health information. In addition, A Manual for Caldicott Guardians ('the Manual') has been produced by the UK Caldicott Guardian Council.

    • The Caldicott Report recommended that 'A senior person should be nominated in each NHS organisation, including the Department of Health and associated agencies, to act as a "guardian".' This recommendation was accepted and NHS organisations are  required to appoint such a Caldicott Guardian. The Manual details training that a Caldicott Guardian should receive.

      Caldicott 2 sets out recommendations for training for all levels of health and social care staff, although it particularly emphasises the training of senior leadership.

    • NHS organisations are required to have a Caldicott Guardian. Caldicott 2 recommends that 'all organisations within the health and social care system which process personal confidential data, including but not limited to local authorities and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any information governance leaders required, and assure themselves of their continuous professional development.'

    • The Manual sets out general expectations of what a Caldicott Guardian would need to know and how a Caldicott Guardian can train.

    • Caldicott 2 suggests, 'In addition to the standard training and education, Caldicott Guardians need to demonstrate continuous professional development in information governance on an annual basis.' Caldicott 2 further notes, 'it is vital that senior managers understand the practical information governance challenges staff face. They should demonstrate continuous professional development in information governance in at least 3-year cycles.'

    • Although the Caldicott Guardian related material does not directly address maintaining records of training, there are several recommendations and suggested practices pertaining to information governance and general record management.

  • US Banking Secrecy Act
    • The Procedures for Monitoring Bank Secrecy Act Compliance ('the Procedures') require that banks establish compliance programs which contain, at a minimum, the provision of training to appropriate personnel.

    • The compliance program overview in the BSA/AML Examination Manual ('the Manual') released by the Federal Financial Institutions Examination Council ('FFIEC') details the expectations of the 'training' referred to in the Procedures.

    • The Procedures refer to the training of 'appropriate personnel'. The Manual suggests that 'at a minimum, the bank's training program must provide training for all personnel whose duties require knowledge of the Bank Secrecy Act ('BSA'). The training should be tailored to the person's specific responsibilities. In addition, an overview of the BSA/AML requirements typically should be given to new staff during employee orientation. Training should encompass information related to applicable business lines, such as trust services, international, and private banking. The BSA compliance officer should receive periodic training that is relevant and appropriate given changes to regulatory requirements as well as the activities and overall BSA/AML risk profile of the bank.The board of directors and senior management should be informed of changes and new developments in the BSA, its implementing regulations and directives, and the federal banking agencies’ regulations. While the board of directors may not require the same degree of training as banking operations personnel, they need to understand the importance of BSA/AML regulatory requirements, the ramifications of noncompliance, and the risks posed to the bank.'

    • The Procedures allocate responsibility for compliance programs to banks. The Manual clarifies that 'The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure'.

    • The Manual outlines that, 'Training should be ongoing and incorporate current developments and changes to the BSA and any related regulations. Changes to internal policies, procedures, processes, and monitoring systems should also be covered during training. The training program should reinforce the importance that the board and senior management place on the bank’s compliance with the BSA and ensure that all employees understand their role in maintaining an effective BSA/AML compliance program.

      Examples of money laundering activity and suspicious activity monitoring and reporting can and should be tailored to each individual audience. For example, training for tellers should focus on examples involving large currency transactions or other suspicious activities; training for the loan department should provide examples involving money laundering through lending arrangements.'

    • The Manual only notes that training should be 'ongoing.'

    • The Manual suggests that, 'Banks should document their training programs. Training and testing materials, the dates of training sessions, and attendance records should be maintained by the bank and be available for examiner review.'

Awareness Training Courses

Compare Reset
    title
  • Courses
  • Course Outline
  • Customer Service
    • Course Details

      Privacy and Customer Service – 14 minutes
      On the front lines of handling personal information, customer service employees need to be educated in proper processing to keep data safe and maintain customer privacy. This unit discusses the importance of verification and authentication procedures, the critical privacy principles of data minimisation and use limitation, as well as concerns about sharing data and taking notes when helping customers.

      Protecting Privacy in the Call Center – 15 minutes
      Call center employees handle personal information every day and must be aware of how to handle it properly. This unit examines several primary privacy concerns, including social engineering, note taking, data minimisation, use limitation and security.

      CCPA Compliance for Customer Service – 9 minutes
      Employees will learn about consumer rights and their role in fulfilling them, as well as when a request may require escalation. In addition, they will learn about CCPA business requirements, such as providing consumers with the means to submit a request and the importance of authenticating consumers.

    • Course Outline

      Privacy and Customer Service

      1. Introduction
      2. Objectives
      3. Customer Information
      4. Authentication
      5. Minimization
      6. Sharing
      7. Limit Access
      8. Customer Notes and Comments
      9. Summary
      10. Assessment Questions

       

      Protecting Privacy in the Call Center

      1. Introduction
      2. Objectives
      3. Customer Information
      4. Authentication
      5. Minimisation
      6. Sharing
      7. Reporting Suspicious Calls
      8. Limit Access
      9. Safeguard Data in Your Possession
      10. Customer Notes and Comments
      11. Summary
      12. Assessment Questions

       

      CCPA Compliance for Customer Service

      1. Introduction
      2. Definitions
      3. Consumer Interaction
      4. Consumer Rights Intro
      5. Right to Know What is Being Collected
      6. Right to Know Where Personal Information was Collected
      7. Right to Know with Whom It is Shared
      8. Right to Know Why Personal Information is Collected
      9. Right to be Forgotten
      10. Right to Opt Out
      11. Business Obligations
      12. Authentication
      13. Authentication - Minors
      14. Non-discrimination
      15. Summary
      16. Assessment Questions

       

  • Financial
    • Course Details

      Privacy Essentials in the Financial Sector - 11 minutes 

      Employees working in the financial sector - for example, personal banking, investment banking, insurance, credit reporting, credit lending and mortgage lending - handle a significant amount of information about individuals. This unit will help you answer the following questions: What is personal information? What is the difference between privacy and security? What are privacy principles and the data lifecycle, and how do they relate to privacy?

    • Course Outline

      Privacy Essentials in the Financial Sector

      1. Introduction
      2. Objectives
      3. Personal Information
      4. Sensitive Personal Information
      5. Information Privacy
      6. Privacy Principles
      7. Data Lifecycle
      8. Security
      9. Financial Sector Privacy Laws and Regulations
      10. Summary
      11. Assessment Questions
  • General Awareness
    • Course Details

      Why Data Protection Matters? – 10 minutes
      This unit answers questions such as:

      • What is privacy?
      • Why should I care about data protection?
      • Why is data protection important to my organisation?

      By helping employees understand data protection and information security, you can reduce errors that often result in data protection incidents.

      What is Personal Data? – 9 minutes
      Recognising personal data is a critical step in data protection. This unit introduces the concepts of sensitivity, identifiability, masking, aggregating and truncating to help employees better recognise and process personal data.

      Processing Personal Data – 14 minutes
      Data protection responsibilities begin the moment personal data enters your organization and continue until it is destroyed. Through a variety of scenarios, employees understand how to apply the data protection principles of transparency, consent, data minimisation, purpose limitation, security and access throughout the information life cycle.

      Privacy and Data Protection Basics: A Knowledge Check – 1 minutes
      This unit is designed as a refresher course for your team on the essentials of privacy and data protection. It includes 15 questions, varying in difficulty, to assess how well employees remember their basic training. If any team member needs an in-depth review of the fundamentals, they can be directed to the unit 'Privacy and Data Protection Essentials.'

      Privacy and Data Protection Essentials – 11 minutes
      This introductory unit provides learners the foundation needed to understand privacy concepts, including defining personal information, outlining the data lifecycle, defining privacy and its importance to organizations handling personal information. The unit also covers basic privacy principles and how they form the basis for laws and organisational policies.

      Identifying Phishing Attacks — Can You Avoid Getting Hooked? – 18 minutes
      This fully-interactive and timed unit raises learner awareness of various indicators to help identify phishing attempts. Learners are challenged to review emails and decide which are legitimate and which are phishing attacks.

      Privacy and Security Awareness – 10 minutes
      This unit increases employees' awareness of basic privacy and security practices in the workplace. Topics include analysing types of information, minimizing data access to only what is necessary, keeping information secure, properly destroying information, and staying alert.

      Recognising and Avoiding Social Engineering – 15 minutes
      Data thieves use a variety of methods to trick employees into divulging information. This unit explores some of the tactics and common warning signs for phishing, spoofing, telephone and in-person scams.

    • Course Outline

      Why Data Protection Matters?

      1. Introduction
      2. Objectives
      3. Types of Privacy
      4. Technology and Privacy
      5. Data Fuels the Economy
      6. Why Should You Care About Privacy and Data Protection
      7. Consequences of Getting Privacy and Data Protection 'Wrong'
      8. Security v. Privacy
      9. Summary
      10. Assessment Questions

       

      What is Personal Data?

      1. Introduction
      2. Objectives
      3. Personal Information Defined
      4. Identify Personal Information
      5. Personal Information and Sensitivity
      6. Context and Its Impact on Sensitivity
      7. Identifiability
      8. Methods for Reducing Identifiability
      9. Summary
      10. Assessment Questions

       

      Processing Personal Data

      1. Intoduction
      2. Objectives
      3. The Data Lifecycle
      4. Lifecycle of Employee Information
      5. Lifecycle of Customer Information
      6. Common Data Protection Principles
      7. Data Protection Principles: Transparency, Consent, Data Minimisation, Purpose Limitation, Access, Security
      8. Putting Data Protection Principles into Practice
      9. Rate Yourself
      10. Summary
      11. Assessment Questions

       

      Privacy and Data Protection Essentials

      1. Introduction
      2. Objectives
      3. Types of Privacy
      4. What is Personal Information
      5. Combining Personal Information
      6. Reducing Identifiability
      7. Sensitive Personal Information
      8. Context and Its Impact on Sensitivity
      9. Employees
      10. Why Should You Care
      11. Privacy and Security
      12. Information Lifecycle
      13. Privacy Principles
      14. Factors Determining Use
      15. Summary
      16. Assessement Questions

       

      Identifying Phishing Attacks

      1. Introduction
      2. Scenario
      3. Rules
      4. Interactive Assessment

       

      Privacy and Security Awareness

      1. Introduction to Privacy and Security
      2. Types of Information
      3. Data Storage
      4. Data Minimization
      5. Access Control
      6. Security Measures for Different Types of Information
      7. Data Destruction
      8. Staying Alert of Privacy Issues
      9. Responsible Personnel

       

      Recognising and Avoiding Social Engineering

      1. Introduction
      2. Objectives
      3. Social Engineering Defined
      4. Corporate Scams
      5. Email: Phishing, Folder and Recipients, The Sender, Subject Line and Attachments, The Message
      6. Spoofing
      7. Email: Reply and Personal Emails
      8. Telephone
      9. In Person
      10. Other Digital Concerns
      11. Summary
      12. Assessment Questions
  • Healthcare
    • Course Details

      Privacy Essentials for the Healthcare Industry – 11 minutes
      This course will help define personal data and sensitive personal data, including health data. The course will discuss general data protection principles, with a focus on data minimisation and data lifecycle, meeting privacy expectations of individuals and list key privacy laws that affect processing of health data.

    • Course Outline

      Privacy Essentials for the Healthcare Industry

      1. Introduction
      2. Personal Data
      3. Data Privacy
      4. Data Privacy Laws
      5. Data Privacy Laws by Region
      6. Data Privacy Principles
      7. Data Lifecycle
      8. Flow of Personal Data
      9. Processing Health Data
      10. Health Data Collection and Use
      11. Keeping Health Data Private
      12. Summary
      13. Assessment Questions
  • Human Resources
    • Course Details

      BYOD for HR - Balancing Convenience and Privacy – 10 minutes
      Human Resource professionals face special considerations and issues when employees use their own devices for work. Understanding the risks involved with Bring Your Own Device ('BYOD') and knowing how to communicate and enforce policies are key to protecting your organisation and your employees.

      Maintaining Privacy when Handling Employee Files – 13 minutes
      This unit covers the proper handling of data stored in employee files, including controlling access to those files, appropriate storage of medical and background check data, managing employee data throughout its lifecycle, exercising discretion when discussing employee information, and how to handle sensitive information.

      Privacy Considerations When Monitoring Employees – 12 minutes
      This unit is designed to help you consider the implications of monitoring, so you can better protect your organisation and the privacy of employees. Monitoring employees, workplaces and information is becoming more and more important. Along with the need for monitoring comes the need for well-thought out policies, clear communication and careful implementation.

      Protecting Privacy During the Hiring Process – 11 minutes
      How does privacy impact the hiring process when you need to reduce legal risks yet maintain a good reputation with applicants? Learn how to protect the information of applicants and employees while protecting yourself and your organisation from legal ramifications.

      Employee Privacy & Third Party Vendor Management – 8 minutes
      This unit is designed to highlight considerations and issues related to vendors. Vendors can be essential to an organization’s success; they can also create liability for an organisation. Building a strong, positive relationship means careful planning, good contracts and effective execution of those contracts.

    • Course Outline

      BYOD for HR - Balancing Convenience and Privacy

      1. Introduction
      2. Benefits and Risks of BYOD
      3. Passwords
      4. Segragation
      5. Mobile Device Management
      6. Exit Strategies
      7. Legal Compliance
      8. BYOD Policies

       

      Maintaining Privacy When Handling Employee Files

      1. Introduction
      2. Collecting Employee Information
      3. Access Management
      4. Storage
      5. Sharing
      6. Protecting Sensitive Information
      7. Privacy Concerns
      8. Employee References

       

      Privacy Considerations When Monitoring Employees

      1. Introduction
      2. Considerations
      3. Categories of Monitoring
      4. Methods of Monitoring
      5. Employer's Responsibilities
      6. Risks of Over Collection of Employee Information
      7. Impacts of Monitoring
      8. Summary
      9. Assessment Questions

       

      Protecting Privacy During the Hiring Process

      1. Introduction
      2. Hiring Policies
      3. Interview Questions
      4. Applicant Information Source
      5. Legal Compliance
      6. Use of Applicant Information
      7. Data Privacy in Hiring Lifecycle
      8. Management of Appicant Information
      9. Summary
      10. Assessment Questions

       

      Employee Privacy & Third Party Vendor Management

      1. Introduction
      2. Choosing a Vendor
      3. Vendor Agreement
      4. Data Sharing and Risks Involved
      5. Precautions for Data Sharing with Vendors
      6. Terminating Vendors
      7. Summary
      8. Assessment Questions
  • Information Technology
    • Course Details

      Data Privacy for Information Security Professionals I – 8 minutes
      Information security professionals, system administrators and other IT employees must understand how to maintain privacy and navigate potential risks to personal information while managing an organization’s network. Unit topics include inventorying and updating systems and information, deleting unnecessary information, setting and reviewing access controls, employee monitoring, vendor management, plus helping develop and implement policies and training.

      Data Privacy for Information Security Professionals II – 16 minutes
      This unit helps information security professionals, system administrators and other IT employees recognise security issues throughout the data lifecycle. It addresses topics such as what personal information is and how to identify it, so they can better assist in determining appropriate uses for that data. This, in turn, allows them to institute proper limitations on access to the data. Understanding how data is classified also permits proper storage, archiving and destruction of data.

      Data Subject Rights for IT Professionals: A GDPR Unit – 14 minutes
      Under the GDPR, IT professionals are obligated to comply with data subject requests in a timely, efficient manner. With this unit, IT professionals receive specific information on data mapping and minimisation, plus data storage and sharing that facilitate compliance. We also review what constitutes 'consent,' appropriate authentication and how privacy notices enable proper compliance.

      Understanding Privacy by Design – 12 minutes
      This unit explains what privacy by design is, how it works and how it benefits your organisation. Topics include identifying necessary data, protecting data, limiting how data can be used, limiting data sharing, ensuring accessibility of user controls and providing notice to individuals.

    • Course Outline

      Data Privacy for Information Security Professionals I

      1. Introduction
      2. Privacy by Design
      3. Privacy and Security
      4. System Properties and Software
      5. Updating Data
      6. Deleting Obselete Personal Information
      7. Use Limitation
      8. Access Request
      9. Removing Access
      10. IT Access
      11. Employee Monitoring
      12. Vendor Management
      13. Data Minimisation
      14. Summary
      15. Assessment Questions

      Data Privacy for Information Security Professionals II

      1. Introduction
      2. Information Security Employees
      3. Personal Information
      4. Sensitive Personal Information
      5. Data Lifecycle
      6. Collection
      7. Use and Access
      8. Sharing
      9. Storage
      10. Destruction
      11. Summary
      12. Assessment Questions

      Data Subject Rights for IT Professionals: A GDPR Unit

      1. Introduction
      2. IT's Role
      3. Objectives
      4. Data Mapping
      5. Transparency, Portability and Privacy Notice
      6. Consent and Authentication
      7. Summary
      8. Assessment Questions

      Understanding Privacy by Design

      1. Introduction
      2. Objectives
      3. What is Privacy by Design
      4. Data Minimisation
      5. Determine Use
      6. Lifecycle Security
      7. Sharing
      8. User Control
      9. Notice
      10. Summary
  • Laws and Regulations
    • Course Details

      GDPR: A Practical Overview – 15 minutes
      This unit discusses GDPR terms and their real-world applications, data subject rights, privacy principles and data controllers' obligations, so mid-level employees can better explain and enforce GDPR policies and procedures within your organisation.

      GDPR: A Knowledge Check – 2 minutes
      How well do your employees understand basic concepts of the GDPR and their effect on the handling of personal data? This unit tests employees' retention of what they've learned about the GDPR and identifies those who need follow-up training.

      Kids and Marketing: Understanding COPPA – 14 minutes
      This course helps marketers grasp the complex Children’s Online Privacy Protection Act ('COPPA') by breaking down the law and explaining how the FCC determines when, and if, COPPA applies. Among the topics covered will be a definition of COPPA, how to know if it applies to your online service, specific compliance issues and data collection options.

      The California Consumer Privacy Act: Awareness – 6 minutes
      The CCPA features broad privacy requirements new to many businesses. Get out in front of this sweeping legislation by helping employees understand the scope of the law, definitions of 'personal information' and 'consumer,' business obligations and consumer rights.

      LGPD: A Pracitcal Overview – 13 minutes
      Having a basic grasp of Brazil’s new data protection law lets mid-level employees better explain and enforce the policies and procedures your organisation puts into place. It also helps identify potential issues in data processing that should be addressed. This unit discusses the terminology used in the LGPD, data subject rights, the legal bases for data processing, basic privacy principles, and data controller obligations.

    • Course Outline

      GDPR: A Practical Overview

      1. Why Data Protection Laws
      2. What is the GDPR
      3. Objectives
      4. Introduction to Personal Data
      5. Combining Personal Data
      6. Special Categories and Sensitive Data
      7. Processing
      8. Data Subject, Controller or Processor
      9. Consent
      10. Data Minimisation and Purpose Limitation
      11. Data Subject Rights
      12. Data Security
      13. Security Breach Notification
      14. Privacy by Design
      15. Accountability
      16. Summary
      17. Assessment Questions

       

      GDPR: A Knowledge Check

      1. Introduction
      2. Terms Used in the GDPR
      3. Basic Privacy Principles
      4. Data Subject Rights
      5. Data Controller's Obligations

       

      Kids and Marketing: Understanding COPPA

      1. Introduction
      2. Objectives
      3. What is COPPA
      4. General Audience
      5. Primary Site Deciding Factors
      6. Personal Information
      7. Secondary Audience
      8. Show What You Know
      9. Data Collection Requirements
      10. Consent
      11. Third-Parties
      12. What Should Organisations Do
      13. Summary
      14. Assessment Questions

       

      The California Consumer Privacy Act: Awareness

      1. Introduction
      2. Scope of the Law
      3. Business Obligations
      4. Consumer Rights
      5. Summary
      6. Assessment Questions

       

      LGPD: A Practical Overview

      1. Introduction
      2. Personal Data and the Law
      3. Personal Data Use
      4. Sensitive Data
      5. Data Processing
      6. Who Does the LGPD Apply to?
      7. Types of Processing Agents
      8. Privacy Notices
      9. Legal Basis for Processing
      10. Children's Data
      11. Anonymised and Pseydonymised Data
      12. Necessity Principle
      13. Purpose Limitation
      14. Purpose Limitation and Third Parties
      15. Data Subject Rights
      16. Accountability
      17. Security
      18. Security Incidents
      19. Summary
      20. Assessment Questions
  • Managers
    • Course Details

      Respecting Your Employees’ Privacy – 10 minutes
      Managers are in a unique position to regularly gather personal information about the employees they oversee. This unit is designed to help them recognize personal information when they encounter it, as well as understand their role in helping organisations maintain employee privacy.

      Vendor Management and Privacy: What Employees Should Know – 10 minutes
      Employees are not always aware of privacy concerns that can arise when working with vendors. This unit explains what a vendor is and how to select one, what to consider when ending a vendor relationship, and how to identify potential privacy risks while managing vendors.

    • Course Outline

      Respecting Your Employees’ Privacy

      1. Introduction
      2. Hiring - Resume
      3. Hiring - Interviews
      4. Hiring - Potential Candidates
      5. Hiring - Legal Requirements
      6. Existing Employees - Maintaining Privacy
      7. Existing Employees - Data Sharing
      8. Exisiting Employees - Monitoring
      9. Termination
      10. Summary
      11. Assessment Questions

       

      Vendor Management and Privacy: What Employees Should Know

      1. Introduction
      2. Objectives
      3. What Is a Vendor?
      4. Selecting a Vendor
      5. Contracts
      6. Free Personal Vendors Impact
      7. Hidden Risks
      8. Continuing Concerns
      9. Contract Change/Termination
      10. Summary
      11. Assessment Questions
  • Marketing
    • Course Details

      Collecting Consumer Information – 6 minutes
      This unit focuses on privacy concerns raised when marketers collect information about consumers, including why information collection should be limited, the importance of a comprehensive privacy notice, and how laws vary depending on location and how information is collected.

      Interest-Based Advertising for the Privacy-Conscious Marketer – 11 minutes
      By its nature, interest-based advertising centers on information collected about individuals. How can your organisation utilize this effective marketing technique while simultaneously protecting consumers’ privacy? Learn about privacy concerns that may surface with interest-based advertising, plus how to recognise and avoid risk.

      Loyalty Programs: Protecting the Privacy of Your Customers – 11 minutes
      This unit examines how privacy can be maintained while collecting information from customers through a loyalty program. It explores why notice and choice are important, how to employ privacy principles and the potential effect of third parties on privacy.

      Maintaining Privacy When Working with List Vendors – 12 minutes
      Using list vendors to reach consumers allows your organisation to expand its marketing reach. This unit highlights important privacy concerns, plus concrete ways you can minimize risk when contracting with a list vendor.

      Tracking Technologies and Privacy – 14 minutes
      This unit provides marketing employees with best practices for effectively utilizing tracking technologies such as cookies, while meeting consumer expectations and protecting your organisation. Explore necessary notices and consents, issues related to identifying individuals across devices through tracking technologies, and how to mitigate the risks of third-party data collection on websites and apps.

      Using Consumer Information – 8 minutes
      With so many ways to use consumer information, marketers need to be tuned in to customers’ points of view, be aware of privacy risks, concerns and legal requirements associated with different methods of marketing, and understand the importance of customer controls.

    • Course Outline

      Collecting Consumer Information

      1. Introduction
      2. Objectives
      3. Do and Do Not
      4. Necessary Data
      5. Compliance with the Law
      6. Laws around the World
      7. Data Collection Methods
      8. Summary
      9. Assessment Questions

       

      Interest-Based Advertising for the Privacy-Conscious Marketer

      1. Introduction
      2. Objectives
      3. What is IBA
      4. IBA Example
      5. Process for Ad Placement
      6. Privacy Concerns in the Process
      7. Knowledge Check: Concerns + Acceptable
      8. What Can You Do?
      9. Consumer Expectations Across Devices
      10. Consumer Tolerances
      11. Summary
      12. Assessment Questions

       

      Loyalty Programs: Protecting the Privacy of Your Customers

      1. Introduction
      2. Maintaining Privacy When Working with List Vendors
      3. Objectives
      4. Privacy Notice
      5. Data Minimisation
      6. Use Limitation
      7. Alternative Data Collection
      8. Third Parties
      9. Third Party Sharing
      10. Summary
      11. Assessment Questions

       

      Maintaining Privacy When Working with List Vendors

      1. Introduction
      2. Objectives
      3. Potential Mistakes when Purchasing Lists
      4. List Organisation
      5. Existing Customers
      6. Identifying the Customer Type
      7. Vendor Lists
      8. Verifying the Vendor List's Legitimacy
      9. Vendor Data Collection
      10. Data Collection Methods
      11. Notice and Opt-Out
      12. Flagging Vendor List Issues
      13. Due Diligence
      14. Privacy Principles
      15. Summary
      16. Assessment Questions

       

      Tracking Technologies and Privacy

      1. Introduction
      2. Objectives
      3. Cookies
      4. The Basics of Cookies
      5. The Basics of Identifiers
      6. Digital Fingerprinting
      7. Multiple Devices
      8. Consumer Concerns
      9. Privacy Policies
      10. Organisational Concerns
      11. Summary
      12. Assessment Questions

       

      Using Consumer Information

      1. Introduction
      2. Objectives
      3. Marketing Channels: Emails, Phone Calls, Mail, Text
      4. Data Do and Do Not: Email, Phone, Social Media
      5. Opting Out
      6. Caution and Over-Reaching
      7. Compiling Profiles
      8. Effective or Uncomfortable
      9. Summary
      10. Assessment Questions
  • Sales
    • Course Details

      Privacy Essentials for Sales Professionals – 14 minutes
      If your sales team can't address customer concerns about basic privacy fundamentals and policies, sales can be delayed or lost. This introductory unit provides them with foundational knowledge of key privacy concepts, including the definition of personal data, privacy laws that can affect sales professionals, the data lifecycle and data protection principles with a focus on data minimization.

    • Course Outline

      Privacy Essentials for Sales Professionals

      1. Introduction
      2. Personal Data
      3. Objectives
      4. Privacy Laws by Region
      5. Collecting Personal Data
      6. Data Minimisation
      7. Use Limitation
      8. Customer Expectations
      9. Customer Controls
      10. Data Sources
      11. Cold Calls
      12. Sharing - Intentional
      13. Summary
      14. Assessment Questions