The first principle of the Generally Accepted Privacy Principles (GAPP), Management, requires that the entity define, document, communicate, and assign, accountability for its privacy policies and procedures.
For a privacy program to be appropriately established, an entity must have implemented a good management infrastructure that supports its privacy strategy. This includes developing and implementing appropriate and well-documented policies that address the other nine privacy principles.
Specifically, the criteria outlined in GAPP indicate that management should do the following:
- Design a privacy policy that defines and documents its privacy policies with respect to the other nine principles of GAPP (see Criterion 1.1.0)
- Communicate the privacy policies to internal personnel and consequences of noncompliance (see Criterion 1.1.1)
- Design a system of responsibility and accountability by assigning a person or group to manage the privacy program (see Criterion 1.1.2)
- Design procedures and controls to periodically review and approve changes to the privacy policies and procedures (see Criterion 1.2.1.)
- Design procedures and controls to ensure that the privacy program is in compliance with applicable laws and regulations and review them periodically and revise them when necessary (see Criterion 1.2.2)
- Design procedures and controls to ensure that the types of personal information and sensitive personal information are identified (see Criterion 1.2.3)
- Design procedures and controls to ensure that a risk assessment process is used to establish a risk baseline and identify new or changed risks to personal information (see Criterion 1.2.4)
- Design procedures and controls to ensure that commitments and relationships with other businesses entered into by the entity are consistent with its own privacy policies and address any inconsistencies (see Criterion 1.2.5)
- Design procedures and controls to ensure that the appropriate privacy infrastructure is put into place and developed, implemented, and maintained (see Criterion 1.2.6)
- Design procedures and controls to establish a documented privacy incident and breach management program (see Criterion 1.2.7)
- Design procedures and controls to ensure that the entity provides adequate resources to achieve the privacy objectives (see Criterion 1.2.8)
- Design procedures and controls to establish appropriate qualifications for personnel responsible for protecting the privacy and security of personal information (see Criterion 1.2.9)
- Design procedures and controls to establish a privacy awareness program and ensure that specific training for selected personnel is provided (see Criterion 1.2.10); and
- Design procedures and control to monitor and assess any changes in business and regulatory environments that may affect the appropriateness of the existing privacy policies and procedures and make any necessary changes (see Criterion 1.2.11).
Examples of related risks: If an entity does not assign accountability for its privacy program, the privacy of employees and customers will not be adequately protected as well as noncompliance with required legislation.