Skip to Content
M9-Pro-05 Justice, Trade & Work Fiduciary & Professional Services CORE Excellence v2.9.7

Robust Client Data Security & Confidentiality

This criterion assesses the organization's commitment to safeguarding client data and upholding confidentiality in accordance with Islamic principles and legal requirements. It evaluates the effectiveness of policies, procedures, and technologies implemented to prevent unauthorized access, use, disclosure, or loss of client information. This includes personal, financial, and health-related data. The criterion examines data governance, security measures (physical, technical, and administrative), staff training, incident response protocols, and compliance with relevant data protection regulations. Upholding client confidentiality is not just a legal obligation but also a fundamental requirement of Amanah (trustworthiness) in Islamic finance and professional services. This is underscored by Qur’an 33:72 (The Trust) and Qur’an 4:58 (rendering trusts to their owners). The concept of 'Sitr' (concealment/covering) mandates that organizations actively protect client privacy and refrain from undue curiosity or internal gossip (Ghibah). Furthermore, the principle of 'La darar wa la dirar' (no harm) necessitates strict controls for vulnerable clients to prevent harm from data misuse. Effective data security builds trust and confidence, essential for long-term relationships. The organization should demonstrate a culture of data privacy where 'Privacy by Design' is standard, continuously monitoring and improving practices to address evolving threats.

Compliance 5
  • RoPA & Lawful Basis: Art 30 Records, Art 6/9 Basis, LIA documentation.
    Documentation Essential
  • Rights Management (DSARs): Procedure, Log, Verification, 30-day SLA.
    Process Essential
  • Retention & Disposal: Schedule, Automated deletion, Secure destruction (NIST 800-88).
    Process Essential
  • International Transfers: Register, IDTA/Addendum, TRA, Supplementary measures.
    Governance Essential
  • Third-Party Assurance: Risk-tiering, Art 28 Contracts, Audit Rights, Exit Plans.
    Governance Essential
Basic 1
  • Governance & Islamic Ethics: Policy referencing Amanah/Sitr; Code of Conduct prohibiting Ghibah/curiosity.
    Governance Essential
Good 3
  • Access Control (JML): Joiner-Mover-Leaver process, MFA, Access Reviews.
    Infrastructure (Baseline) Essential
  • Minimum Security Baseline (MCS): EDR, Patching (<14 days), Encrypted Backups + Tests, TLS/AES.
    Infrastructure (Baseline) Essential
  • Incident Response: Playbooks, Tabletop exercises, Root Cause Analysis, Notification.
    Process Essential
Better 3
  • Enhanced Security Controls (ECS): SIEM, PAM, Zero Trust, DLP, HSM.
    Infrastructure (Enhanced) Advanced
  • Privacy Portal for client self-service
    Transparency High
  • Islamic Ethics Scenarios in Training
    Culture Medium
Best 2
  • Privacy Engineering / Privacy by Design in SDLC
    Technology High
  • Independent Assurance (ISO 27001 / SOC 2)
    Governance High

Related Criteria

M9-FPS-01 Client Fund Segregation & Protection M9-FPS-09 Fee Transparency & Ethical Justification M9-Pro-02 Adequate Professional Indemnity Insurance Coverage M9-Pro-03 Ethical Compliance & Whistleblowing Framework M9-Pro-04 Conflict Disclosure Policy & Practices
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 11:08:18.292254

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json

Sign in to post a comment.

Back to Criteria