Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Privacy > Generally Accepted Privacy Principles > Generally Accepted Privacy Principles > Principle 1: Management
Principle 1: Management

The first principle of the Generally Accepted Privacy Principles (GAPP), Management, requires that the entity define, document, communicate, and assign, accountability for its privacy policies and procedures.

 

For a privacy program to be appropriately established, an entity must have implemented a good management infrastructure that supports its privacy strategy. This includes developing and implementing appropriate and well-documented policies that address the other nine privacy principles.

 

Specifically, the criteria outlined in GAPP indicate that management should do the following: 

·         Design a privacy policy that defines and documents its privacy policies with respect to the other nine principles of this framework (see Criterion 1.1.0)

 

·         Communicate the privacy policies to internal personnel and consequences of noncompliance (see Criterion 1.1.1)

 

·         Design a system of responsibility and accountability by assigning a person or group to manage the privacy program (see Criterion 1.1.2)

 

·         Design procedures and controls to periodically review and approve changes to the privacy policies and procedures (see Criterion 1.2.1.)

 

·         Design procedures and controls to ensure that the privacy program is in compliance with applicable laws and regulations and review them periodically and revise them when necessary (see Criterion 1.2.2)

 

·         Design procedures and controls to ensure that commitments and relationships with other businesses entered into by the entity are consistent with its own privacy policies and address any inconsistencies (see Criterion 1.2.3)

 

·         Design procedures and controls to ensure that the appropriate privacy infrastructure is put into place and developed, implemented, and maintained (see Criterion 1.2.4)

 

·         Design procedures and controls to ensure that the entity provides adequate resources to achieve the privacy objectives (see Criterion 1.2.5)

 

·         Design procedures and controls to establish appropriate qualifications for personnel responsible for protecting the privacy and security of personal information (see Criterion 1.2.6); and

 

·         Design procedures and control to monitor and assess any changes in business and regulatory environments that may affect the appropriateness of the existing privacy policies and procedures and make any necessary changes (see Criterion 1.2.7).

 

Examples of related risks: If an entity does not assign accountability for its privacy program, the privacy of employees and customers will not be adequately protected as well as noncompliance with required legislation.

 

Download the Management Principle critera table
Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York.