Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Privacy > Generally Accepted Privacy Principles > Generally Accepted Privacy Principles > Principle 4: Collection
Principle 4: Collection

The fourth principle of the Generally Accepted Privacy Principles (GAPP), Collection, requires that the entity collect personal information only for the purposes identified in the notice. As a general rule, this fair information practice precludes an entity from collecting personal information indiscriminately.

 

Specifically, the criteria outlined in GAPP indicate that an entity should do the following:

 

·         Design privacy policies that address the collection of personal information (see Criterion 4.1.0)

 

·         Communicate to individuals that personal information is collected only for the purposes identified in the notice (see Criterion 4.1.1)

 

·         Communicate to individuals types of personal information collected and the methods of collection used (see Criterion 4.1.2)

 

·         Design procedures and controls to document and describe the types of personal information collected and methods of collection in the privacy notice (see Criterion 4.2.1)

 

·         Design procedures and controls to limit the collection of personal information to that necessary for the purposes identified in the notice (see Criterion 4.2.2)

 

·         Design procedures and controls to ensure that methods of collection are fair and lawful (see Criterion 4.2.3)

 

·         Design procedures and controls to ensure that management confirms that information collected from third parties is done so fairly and lawfully (see Criterion 4.2.4)

 

Some exceptions to the general rule exist. An entity may collect personal information without the knowledge or consent of an individual if any of the following is true:

 

·         The collection is clearly in the interests of the individual and consent cannot be obtained in a timely way.

·         It is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of federal or state laws.

·         The collection is solely for journalistic, artistic, or literary purposes.

·         The information is publicly available.

Examples of related risks: Gathering more information than necessary may expose the entity to greater liability and security risks. In addition, it may raise administration costs of collecting and retaining the data, and increase the risk of inappropriate use and disclosure.

 

Download the Collection Principle criteria table
Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York.