Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Privacy > Generally Accepted Privacy Principles > Generally Accepted Privacy Principles > Principle 5: Use and Retention
Principle 5: Use and Retention

The fifth principle of the Generally Accepted Privacy Principles (GAPP), Use and Retention, requires that the entity limit the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.

                                    

As a general rule, this fair information practice precludes an entity from using personal information for other than the purposes specified in the notice and retaining the information after the specified purposes are fulfilled. Specifically, the criteria outlined in GAPP indicate that an entity should do the following: 

·         Design privacy policies that address the use and retention of personal information (see Criterion 5.1.0)

 

·         Communicate to individuals use and retention policies (see Criterion 5.1.1)

 

·         Design procedures and controls to ensure that the use of personal information is only for purposes identified in the notice and only if the individual has provided consent, unless a law or regulation specifically requires otherwise (see Criterion 5.2.1)

 

·         Design procedures and controls to ensure that personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise, and personal information no longer retained is disposed of in a manner that prevents loss, misuse, or unauthorized access (see Criterion 5.2.2).

 

Some exceptions to the general rule exist. Personal information may be used without an individual's knowledge or consent if any of the following is true:

 

·         If the use is clearly in the individual's interest and consent is not available in a timely way.

·         If knowledge and consent would compromise the availability or accuracy of the information, and collection were required to investigate a breach of an agreement or contravention of a federal or state law.

·         If the entity has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, state, or foreign law and the information is used for that investigation.

·         If there is an emergency that threatens the individual's life, health, or security. 

·         If the use is for statistical or scholarly study or research.

·         If the personal information is publicly available.

 

Examples of related risks: Unauthorized use or disclosure of personal information can jeopardize customer trust and result in legal liability or sanctions. If a minimum retention period is not specified, personal information may be destroyed prematurely, making it unavailable for decision-making purposes. If a maximum retention period is not specified, personal information may become inaccurate over time. It may also be difficult to manage and increase administration costs for storing and archiving the data.

 

Download the Use and Retention criteria table
Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York.