| Source | Azure Portal | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Display name | Incorporate security and data privacy practices in research processing | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Id | 834b7a4a-83ab-2188-1a26-9c5033d8173b | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Version | 1.1.0 Details on versioning |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Versioning |
Versions supported for Versioning: 1 1.1.0 Built-in Versioning [Preview] |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Category | Regulatory Compliance Microsoft Learn |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | CMA_0331 - Incorporate security and data privacy practices in research processing | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Additional metadata |
Name/Id: CMA_0331 / CMA_0331 Category: Operational Title: Incorporate security and data privacy practices in research processing Ownership: Customer Description: Microsoft recommends that your organization incorporate security and data privacy practices during research processing. It is recommended that your organization store personal data used for carrying out studies and research in a controlled and secure environment, along with pseudonymize or de-identify the personal data. Various data privacy regulations require that disclosure of the results or of any portion of the study or the research do not reveal personal data under any circumstances. The research plan should state the affiliation of each person involved in the research and the purpose and anticipated scientific or public benefit of the research. Additionally, your organization should ensure that the researcher do the following: - Use the information only for the purposes set out in the research plan - Not publish or disclose the information except as required by law and subject to the exceptions - Not make contact or attempt to contact the individual - Notify the organization immediately in writing if the researcher becomes aware of any breach - Comply with conditions and restrictions imposed by your organization related to the use, security, disclosure, return or disposal of the information - Not use the data for making a decision that produces legal or significant effects on the data subject. The General Data Protection Regulation (GDPR) states that the data subject, where personal data are processed for scientific or historical research purposes or statistical purposes, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. The Canada Personal Health Information Protection Act (PHIPA) states that your organization may disclose personal health information with a researcher under certain conditions, such as if the research uses personal health information originating outside of Ontario, the research has been approved by a body outside Ontario that has the function of approving research, and the prescribed requirements are met. The Canada PHIPA also recommends that your organization ensure that the researcher complies with conditions set out by the research board and that a research plan is established. As per Estonia Personal Data Protection Act, scientific and historical research based on special categories of personal information shall undergo a prior verification by the ethics committee for the purpose of evaluating the organization's compliance activities. If there is no ethics committee in the scientific area, your organization may have to verify compliance through the Estonian Data Protection Inspectorate. The Belgium's Act on the Protection of Natural Persons with regard to the Processing of Personal Data require organizations processing personal data for historical, scientific or statistical purposes to not engage in activities designed to convert the anonymous or pseudonymized data into non-anonymous or non-pseudonymized data. Organizations may only de-pseudonymize data if it is necessary for the research or statistical purposes, and, where applicable, after consulting the Data Protection Officer. The Act also requires the controllers to anonymize or pseudonymize the data before sharing with any other controller tasked with the further processing and ensure that the third party is unable to reproduce the data communicated. Only the controller of the original processing who pseudonymized the data or the trusted third party shall have access to the pseudonymization keys Requirements: The customer is responsible for implementing this recommendation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Mode | All | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Type | BuiltIn | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Preview | False | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Deprecated | False | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Effect | Default Manual Allowed Manual, Disabled |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RBAC role(s) | none | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rule aliases | none | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rule resource types | IF (1) Microsoft.Resources/subscriptions |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Compliance |
The following 4 compliance controls are associated with this Policy definition 'Incorporate security and data privacy practices in research processing' (834b7a4a-83ab-2188-1a26-9c5033d8173b)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Initiatives usage |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| History |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| JSON compare |
compare mode:
version left:
version right:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| JSON |
|