Privacy Policy and Selecting Policy, Standard, or Procedure

Privacy Policy Focuses on Personal Information

A privacy policy tells individuals and personnel how the organization collects, uses, shares, retains, protects, and disposes of data about people. Personal information (sometimes called PII) includes names, addresses, identification numbers, account details, health and financial data, location data, and employment records — anything that identifies or relates to a person. Exact legal duties depend on jurisdiction and industry (for example, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or sector rules like HIPAA), but the operational core is stable:

• Data minimization — collect only what is needed.
• Purpose limitation — use it only for approved purposes.
• Protection — secure it according to its sensitivity.
• Retention limits — keep it only as long as required.
• Individual rights — honor access, correction, and deletion requests through the approved process.

Privacy Policy in Daily Work

A privacy policy must match actual practice. If a site states customer data is used only for account support, the organization cannot quietly reuse it for unrelated marketing or sell it without an approved legal basis — that mismatch is both a privacy failure and a trust failure. If a help desk verifies identity before discussing account details, that supports privacy by reducing unauthorized disclosure. When a user requests deletion or correction, staff follow the approved privacy process rather than improvising.

Privacy also shapes incident response. If a laptop holding personal information is lost, the organization may need to determine what data was present, whether it was encrypted (encryption can reduce or remove breach-notification duties under many laws), whether access can be disabled, who must be notified, and what records prove the response. The privacy policy does not replace legal advice, but it gives a consistent starting point.

Policy, Standard, Procedure, Baseline, and Guideline

CC questions frequently test whether you can choose the right governance document. Memorize this hierarchy:

A policy is approved by leadership and carries broad authority. A standard makes policy measurable and enforceable. A baseline is the minimum acceptable configuration. A procedure drives consistency and reduces mistakes. A guideline is advice — helpful but not mandatory unless a policy or standard adopts it.

Choosing the Best Answer

Pick the document by the missing need:

• Broad management direction → policy.
• A required configuration value, technical baseline, or minimum control level → standard (or baseline for a system build).
• How to complete a task in order → procedure.
• Suggested good practice → guideline.

Scenario A: A company already has a policy that mobile devices must protect company data. The security team now needs a mandatory rule that all managed phones use encryption, automatic locking, and supported OS versions — that is a standard. If the help desk needs the exact enrollment-and-verification steps, that is a procedure.

Scenario B: Support staff ask whether they may disclose account information to a caller. The privacy policy gives the governing rule; the procedure tells them how to verify identity and record the request. The best exam answer depends on the gap — lacking overall direction means policy; lacking exact steps means procedure.

Good governance documents work together: policy sets direction, standards and baselines define mandatory requirements, procedures show how to perform work, and guidelines offer recommendations. Privacy policy applies these ideas to personal information so users make consistent, trust-preserving, compliant decisions.

PII, PHI, and the Sensitivity Distinction

The CC exam distinguishes broad Personally Identifiable Information (PII) from the narrower, more sensitive categories. Protected Health Information (PHI) is health data tied to an individual and carries extra legal duties (in the United States, under HIPAA). Some identifiers are sensitive on their own; others become identifying only in combination:

Anonymization removes identifiers so data can no longer be linked to a person, while pseudonymization replaces identifiers with tokens that can be reversed with a separately protected key. The exam favors collecting and exposing the least identifying form needed for the task — a privacy-by-design mindset that pairs directly with the data-minimization principle introduced earlier.