Audit and Certification Process
Schellman provides audit and certification services in full accordance with all relevant standards. Our audit and certification process is provided to prospective clients and addresses each major stage of the audit and certification processes. Prospective clients are also informe
APEC Certification Overview
The Asia-Pacific member economies developed a privacy framework as a volunteer system that outlines standards relating to personal information protection as the data moves across borders. Controllers that volunteer in the program are assessed by an Accountability Agent against the Cross Border Privacy Rules (CBPR) and if compliant, receive a certification. Processors are assessed against the Privacy Recognition for Processors and would also receive a certification if compliant with the program.
As an APEC Accountability Agent, Schellman’s APEC Privacy Certification program evaluates a United States based organization’s privacy practices against the certification minimum requirements included below. These certification standards follow the APEC’s Privacy Recognition for Processors (PRP) Program Requirements.
The Schellman certification seal is a service mark of Schellman. The Schellman certification seal may not be used in connection with any product or service that was not within the scope of the CBPR certification review, or in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Schellman. The certification seal should be used only upon the granting or extending of a CBPR certification.
Initial Certification Assessment
During the initial assessment of a new client or a reassessment of an existing client, Schellman will perform a formal review to help ensure that engaging the client does not create a conflict of interest. Upon agreement of the scope and timing between the client and Schellman, a job arrangement letter (JAL) will be documented to address the contractual agreements between the client and Schellman pertaining to the certification services.
The planning phase occurs in advance of the project execution phase, at least one month prior to project execution. The planning phase includes providing the CBPR Intake Questionnaire, discussions with the client regarding timing of execution, scope details, required documentation collection to be provided to Schellman, and various other planning documents as required.
Project execution, also known as fieldwork, includes various testing procedures performed, both onsite and remote, to evidence the certification minimum requirements included below. The testing procedures may include one or more of the following:
- Inquiry of relevant personnel with the requisite knowledge and experience regarding the performance and application of the related requirement. This included in-person interviews, telephone calls, e-mails, web-based conferences, or a combination of the preceding.
- Observation of the relevant processes or procedures during fieldwork that includes, but is not limited to, witnessing the performance of controls or evidence of control performance with relevant personnel, systems, or locations relevant to the performance of control policies and procedures.
- Inspection of the relevant audit records that includes, but is not limited to, policies, documents, system configurations and settings, or the existence of sampling attributes, such as signatures, approvals, or logged events. In some cases, inspection testing may involve tracing events forward to consequent system documentation or processes (e.g. resolution, detailed documentation, alarms, etc.) or backwards for prerequisite events (e.g. approvals, authorizations, etc.).
During project execution, and/or at the completion of execution, Schellman will notify the client of any areas that are not compliant. Post project execution, Schellman will provide the client with a report outlining the compliant and non-compliant, if applicable, areas. Non-compliant areas must be remediated within the timeframe provided by Schellman. Once remediated, the client must provide Schellman with sufficient evidence of the remediation. The minimum program requirements must be compliant prior to granting certification.
Ongoing Monitoring and Compliance Review
Participants are monitored throughout the certification period to ensure compliance with the program. The monitoring activities may include periodic reviews of the Participant’s privacy notice for updates or modifications or investigations into any disputes received by Schellman. It may also include a review of any matters disclosed on the Participant’s website, other than the privacy notice. Documentation may be requested by Schellman of the Participant to validate compliance or onsite visits. Schellman will notify the Participant in advance to allow for documentation collection and scheduling of the onsite visit.
Re-Certification and Annual Attestation
In order for clients to maintain their certification, recertification must take place every year following the date of initial certification. The recertification process will include:
- An updated and completed PRP Intake Questionnaire provided by the client. Schellman will review the completed form looking for any changes since the initial certification.
- If there has been a material change, reasonably determined by the Accountability Agent, Schellman will perform a review process that will be similar to the initial certification fieldwork process as outlined above.
- An audit report will be provided to the Participant outlining the Accountability Agent’s findings regarding the Participant’s level of compliance with the program requirements. The report will include any areas of non-compliance and corrections the Participant needs to make to correct areas and the time-frame within which the corrections must be completed for purposes of obtaining re-certification.
- If non-compliance areas were found during the re-certification process, Schellman will review documentation provided by the Participant to verify that correction has been completed and is compliant, prior to obtaining re-certification.
- Upon verification that the requirements are in compliance, a final report will be provided to the Participant as notice of compliance with the program requirements and that the Participant has been re-certified.
Certification shall be suspended in cases when, for example:
- The client was found to be in breach of the program’s requirements and the findings have not been resolved within the required time-frames, which shall not exceed a period of six (6) months or upon the due date of the annual recertification;
- The certified client does not allow re-certification audits to be conducted at the required frequencies;
- Where there are reasonable grounds to believe that a Participant has engaged in a practice that may constitute a breach of the program requirements; or
- The certified client has voluntarily requested a suspension.
Schellman will communicate to the client the suspension status along with the remediation requirements. Under suspension, the client's certification is temporarily invalid. Included within the JAL are the enforceable arrangements regarding the suspension of the certification, including additional agreed upon fees for the additional compliance review, to help ensure, that in case of suspension, the client refrains from further promotion of its certification and use of the Schellman certification seal. Schellman is required to make publicly accessible, on the company website, the suspended status of the certification.
The certificate is suspended until the Participant has provided sufficient evidence of the remediation within the required timeframe, which shall not exceed a period of six (6) months or upon the due date of the annual recertification. Upon receipt of sufficient evidence of remediation within the required timeframe, Schellman will perform a review of the evidence to determine if the certificate should be reinstated. The results are communicated to the client via an audit report. Failure to resolve the issues that have resulted in the suspension in the time established by Schellman will result in withdrawal or reduction of the scope of certification, if applicable.
A reduction in the scope of the certification may be applicable and would exclude the parts not meeting the requirements, when the client has persistently or seriously failed to meet the program requirements for those parts of the scope of certification.
Certification Minimum Requirements
Clients must meet the following minimum certification requirements before certification is granted.
- Implement an information security policy that covers personal information processed on behalf of a controller.
- Implement physical, technical and administrative safeguards that may include the following and periodically review and reassess the implemented measures to evaluate their relevance and effectiveness:
- Authentication and access control (e.g. password protections)
- Boundary protection (e.g. firewalls, intrusion detection)
- Audit logging
- Monitoring (e.g. external and internal audits, vulnerability scans)
- Implement regular training and oversight of employees to ensure they are aware of the importance of, and obligations for, respecting and maintaining the security of personal information. Procedures may include the following:
- Documented training program for employees
- Regular staff meetings or other documented communications
- Security policy signed by employees
- Implement measures to detect, prevent, and respond to attacks, intrusions, or other security failures related to personal information. The measures implemented should be tested on a periodic basis and measures should be adjusted to reflect the results of the tests.
- Implement a notification process to notify the controller of occurrences of a breach of the privacy or security of their organization’s personal information.
- Implement procedures for the secure disposal or return of personal information when instructed by the controller or upon termination of the relationship with the controller.
- Perform periodic third-party certifications or other risk assessments and adjust the security safeguards to reflect the results of these certifications or risk assessments.
- Implement policies to ensure that processing of personal information is limited to the purposes specified by the controller.
- Implement procedures to delete, update, and correct information upon request from the controller where necessary and appropriate.
- Implement measures to ensure compliance with the controller’s instructions related to the activities of personal information processing.
- Appoint an individual(s) to be responsible for the overall compliance with the requirements of the PRP.
- Implement procedures to forward privacy-related individual requests or complaints to the controller or to handle them when instructed by the controller.
- Implement procedures to notify controllers, except where prohibited by law, of judicial or other government subpoenas, warrants or orders that require the disclosure of personal information.
- Notify the controller of your engagement of subprocessors.
- Implement mechanisms with subprocessors to ensure that personal information is processed in accordance with your obligations under the PRP. Mechanisms should require subprocessors to perform the following:
- Follow-instructions provided by your organization relating to the manner in which personal information must be handled
- Impose restrictions on further subprocessing
- Have their PRP recognized by an APEC Accountability Agent in their jurisdiction
- Provide your organization with self-assessments or other evidence of compliance with your instructions and/or agreements/contracts
- Allow your organization to carry out regular spot checking or other monitoring activities
- Regularly train employees on the organization’s privacy policies and procedures and related client instructions.