PII Accuracy and Quality Policy

The PII Accuracy and Quality Policy defines how an organization maintains the accuracy, completeness, currency, adequacy and relevance of personally identifiable information processed within the Privacy Information Management System. Its stated purpose is to ensure that PII used by the organization remains accurate and fit for the processing purposes recorded in the PIMS, and that inaccurate, incomplete, outdated or disputed PII is corrected, synchronized or escalated using controlled evidence. The policy applies across controller, joint controller, processor and subprocessor contexts, with controller obligations treated as primary and processor or subprocessor obligations applying where the organization supports controller correction, synchronization or accuracy-related instructions. The policy is structured around practical operational controls rather than a standalone data quality programme. It expressly does not create a separate data quality register, master data governance function, analytics data quality framework or AI training-data quality framework. Instead, it embeds accuracy and quality requirements into existing PIMS records and workflows. REG02 is used to record accuracy ownership, authoritative source, high-impact record flags, accuracy review frequency, accuracy check methods, system linkages and stale data indicators. REG06 is used for PII principal-originated correction claims and accepted correction items. REG08 supports joint-controller allocations, customer correction-support obligations, authorized instruction channels, processor and subprocessor evidence, recipient notifications and downstream acknowledgements. REG12 consolidates monitoring status, gaps, exceptions, nonconformities, corrective actions and management review evidence. A central feature of the policy is the concept of the high-impact record. The policy defines this as a PII record used to grant, deny, modify or materially affect access to a service, contract, employment matter, financial outcome, health-related outcome, eligibility decision, identity decision, risk decision or other decision where inaccurate PII could materially affect a PII principal. These records receive specific controls: they must be classified in REG02 before controller processing begins and annually thereafter, reviewed at least annually, and checked before reliance where review dates are overdue. System Owners must identify stale data indicators for high-impact system records before go-live and within 30 days of material system change. Where high-impact accuracy issues remain unresolved, recur, or pass approved due dates, the policy requires escalation into REG12 and, where necessary, to Top Management. The correction workflow connects privacy rights handling, business validation and technical implementation. PII principal-originated correction claims are linked from REG06 to the affected REG02 processing activity within five business days of assignment. Accepted correction items must be assigned to both the Process Owner or Business Owner and the System Owner or Application Owner within two business days after entering substantive review. The Process Owner validates proposed corrections against the authoritative source, processing purpose and current REG02 record within 10 business days, while the System Owner implements approved corrections in the source system and records completion in REG06 and REG02 within five business days of approval or by the approved due date. The policy also requires documented advice before correction refusal, disputed closure or high-impact correction decisions, and it routes erasure, retention restriction, deletion or disposal-only outcomes to the related workflow when correction alone is not the required outcome. Synchronization and oversight are also explicitly addressed. Before implementing an approved correction, relevant source systems, linked applications, replicas, interfaces and reports must be identified in REG02. Approved corrections must then be synchronized across identified in-scope systems, while recipients, processors or data-sharing parties are tracked through REG08 when downstream updates are required. Quarterly metrics include the percentage of high-impact REG02 processing activities with a current accuracy review, open and overdue correction items from REG06, and unresolved synchronization failures from REG08 and REG12. Exceptions must be requested, assessed, time-limited to no more than 90 days, and closed or reassessed. The policy is reviewed annually and within 30 days of material legal, processing, system or certification-scope change, with material changes approved by Top Management before publication.