PRPO-12

Do you share any institutional data with law enforcement without a valid warrant or subpoena?

Explanation

This question is asking whether your organization discloses customer or institutional data to law enforcement agencies without proper legal documentation (warrant or subpoena). In the context of a security assessment, this question evaluates your organization's commitment to data privacy and legal compliance. Organizations that handle sensitive data have both ethical and legal obligations to protect that data from unauthorized access, including from government entities without proper legal authority. The question is important because: 1. Privacy regulations (like GDPR, CCPA, HIPAA) typically require organizations to protect data from unauthorized disclosure 2. Customers and institutions expect their data will only be shared when legally required 3. Improper disclosure can result in legal liability, reputational damage, and breach of contracts When answering this question, you should be clear about your organization's policies regarding law enforcement requests. The best answers will reference: - Your formal policy on data disclosure - The legal review process for law enforcement requests - Whether you require valid legal documentation before disclosure - Any exceptions to your policy (if they exist) If you do share data without warrants/subpoenas in specific circumstances (like emergencies involving imminent harm), be transparent about those exceptions and how they're governed.

Example Responses

Example Response 1

No, our organization does not share any institutional data with law enforcement without a valid warrant or subpoena We have a formal Law Enforcement Data Request Policy that requires all requests to go through our legal department Our legal team reviews each request to ensure it includes valid legal documentation (warrant, subpoena, or court order) before any data is disclosed We maintain detailed records of all law enforcement requests and our responses We also notify the affected customers/institutions of these requests when legally permitted to do so.

Example Response 2

No, we do not share institutional data with law enforcement without proper legal documentation All law enforcement requests must be submitted in writing and include a valid warrant or subpoena These requests are immediately escalated to our Chief Privacy Officer and legal counsel for review In cases of national security letters or requests that include gag orders, we follow applicable laws while still ensuring proper legal documentation exists We publish a transparency report annually that summarizes the number and types of law enforcement requests received, though we cannot disclose specific details about individual cases.

Example Response 3

Our standard policy is to require a valid warrant or subpoena before sharing any institutional data with law enforcement However, we do maintain an exception process for emergency situations where there is an imminent threat to life or safety In these rare cases, we may share limited data without a warrant if our Chief Security Officer and Legal Counsel jointly approve the disclosure after reviewing the emergency request We document all such exceptions, limit the data shared to only what's necessary to address the emergency, and notify the affected institution after the fact We've had to use this exception process twice in the past three years While this means we technically do sometimes share data without a warrant, we believe this balanced approach protects both privacy and safety in extraordinary circumstances.

Context

Tab: Privacy
Category: Privacy Policies and Procedures