SB.6.001 Authorized data distribution
The proces owner authorises distribution of confidential information explicitly to any recipient, internal or external to the organisation. For all non-incidental data transfers, the authorisation is documented and reviewed yearly. The authorisation includes which data can be shared, which persons/systems are authorised and under what conditions. Data can only be moved to hardcopy with express permission of the data owner. Information Security policy and controls are equally applicable to hardcopy data.
Internal data processing agreements are recommended to specify which data is transferred and the obligations for the receiving party with regards to handling and securing the data. Process owners are encouraged to periodically test if the appropriate measures are in place and remain responsible for the down-stream processing of the data.