KAMİS
Information Security
Privacy of Personal Information
Principle
When requesting identity and contact information from users, this information should not be shared with other individuals or institutions without the user's permission, and users should be informed about this.
Description
The protection of personal information and its use for purposes other than intended is the responsibility of all institutions that collect and use this information. When designing websites, precautions should be taken with this in mind. If users are not guaranteed that their personal information is not shared or if they have doubts about it, they may refrain from using the site or avoid providing accurate and complete information.
Guidelines
- When requesting users' personal information on websites, the purpose of collecting this information and where it will be used should be clearly specified.
- Personal information should not be used for purposes other than intended, and if there is a possibility of using the information for different purposes, this information should be presented to users in a way that they can fully understand and read comfortably.
- When user information is stored or used, user consent should be obtained, and users should also be provided with the opportunity to make preferences regarding the use of their information.
- Ensure that entered information is filled out completely without errors.
- If applications such as cookies, plugins, etc., used on websites perform operations such as data storage on users' computers or running other processes, this should also be shared with users. Users should be able to disable cookies or plugins on the website when they wish.
- Excessive emphasis on the collection of personal data can create a negative perception, so it is necessary to provide information within tolerances and not repeatedly emphasize generally accepted principles.
References
- ISO 9241-151 / 7.2.8.3 – User control of personal information
- ISO 9241-151 / 7.2.8.4 – Storing information on the user’s machine
Useful Resources
- –
Credit Card Information
Principle
Websites should take measures to ensure user data security when users are required to make transactions with credit card information.
Description
In some cases, users may need to make transactions with credit cards to benefit from certain services. In such cases, necessary precautions should be taken to protect credit card information against any adverse situations.
Guidelines
- Explanations indicating that the site is secure for performing the relevant transaction should be clearly stated in a way that users can understand.
- Encryption systems like 128-bit SSL and 256-bit SSL can be used to enhance website security. Support can be obtained from institutions that provide services in this regard (e.g., KamuSM, Globalsign, Godaddy, RapidSSL, Verisign, etc.) to have an SSL encryption system. To obtain an SSL certificate, an application can be made.
- Information should be provided that credit card numbers are not stored in the system.
- Credit card numbers should be grouped with commonly accepted segmentation.
- If expiry dates are to be selected from the menu, the date ranges must be up to date.
- The "3D Secure" application should be used for credit card transactions on websites.
References
- ISO 9241-151 / 7.2.8.2 – Providing a business policy statement
Useful Resources
- –
Privacy Policies of Organizations
Principle
Corporate privacy policies and privacy agreements should be included on websites.
Description
When information entered by users and transactions performed are stored, used, or shared, corporate privacy policies should be presented in a clear, understandable, and easily accessible manner. Components prepared by legal units can be quite extensive, and reading and comprehending them at once can be challenging. These documents should be segmented, made digestible, and organized in a manner that conforms to the terminology used by the user.
Guidelines
- When users are asked to enter personal information, the purpose of requesting this information, how the information will be used, and whether the information will be shared should be disclosed, and, if applicable, it should be explained based on relevant laws, regulations, or standards.
- When incorporating corporate privacy policies, consider the P3P (Platform for Privacy Preferences Project) standards established by the World Wide Web Consortium (W3C).
- Instead of creating extensive privacy policy texts with checkboxes in the same section like "I have read and understood," a detailed text link with a brief description should be provided to facilitate both access and usage.
- The text explaining the privacy policy should be written in a simple language that can be understood by site users, the font size should be readable, and line spacing should be reasonable.
References
- ISO 9241-151 / 7.2.8.1 – Providing privacy policy statements
- ISO 9241-151 / 7.2.8.2 – Providing a business policy statement
Useful Resources
- –