An internal-facing policy for the treatment of personal information. It can be used as a stand-alone policy or incorporated into an information security program, a code of conduct, or an employee handbook. This Standard Document is not tailored to any specific state, foreign, or sector-specific law. Specific laws may impose additional or different requirements, but this policy provides a useful starting point for any personal information treatment policy. This Standard Document has integrated notes with important explanations and drafting tips.