Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Privacy > Generally Accepted Privacy Principles > Generally Accepted Privacy Principles > Principle 2: Notice
Principle 2: Notice

The second principle of the Generally Accepted Privacy Principles (GAPP), Notice, requires that the entity provide notice about its privacy policies and procedures and identify the purposes for which personal information is collected, used, retained, and disclosed.

 

This fair information practice acknowledges that an entity should make readily available to individuals specific information about its privacy policies and procedures. In this respect, an entity must ensure that accountability for personal information is effectively implemented and, at the same time, individuals are able to obtain the information they need to make informed decisions about their business relationships with the entity.

 

Specifically, the criteria outlined in GAPP indicate that an entity should do the following:

·         Design a privacy policy that addresses providing notice to individuals (see Criterion 2.1.0)

 

·         Communicate the notice to individuals (see Criterion 2.1.1)

 

·         Design procedures and controls to ensure the provision of notice initially, due to changes in the privacy policy, and due to changes in uses of personal information (see Criterion 2.2.1)

 

·         Design procedures and controls to ensure that an objective description of the entities and activities covered by the privacy policies and procedures is included in the privacy notice (see Criterion 2.2.2)

 

·         Design procedures and controls to ensure the use of clear and conspicuous language in the privacy notice (see Criterion 2.2.3)

 

Notice requires that an entity openly communicate to both employees and customers its policies and procedures for management of personal information.

 

For employees to meet their responsibilities, it is important for them to be aware of the proper procedures for responding to individual inquiries, including:

 

·         The name and title of the person accountable for the entity's privacy program

·         The name, title, and address of the person to whom access requests should be sent

·         How individuals can access their personal information

·         How individuals can file a complaint with the entity

 

The entity should inform individuals why it is collecting information about them. For example, the entity may use the information to provide benefits to the employee, open an account for the individual, verify creditworthiness, or process a subscription request. In this regard, an entity is not allowed to mislead individuals about the reasons for collecting personal information. Furthermore, individuals must be told how to contact the entity regarding any inquiries or complaints; any third parties to whom the information may be disclosed; and the choices and means for limiting the collection, use, and disclosure of their personal information.

 

Examples of related risks: If an individual cannot readily determine an entity's privacy policies, trust and confidence may be undermined, resulting in denial of consent to use personal information for business purposes. Also, misrepresenting the purpose for collecting personal information may give rise to charges of deceptive business practices.

 

Download the Notice Principle criteria table
Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York.