Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Privacy > Generally Accepted Privacy Principles > Generally Accepted Privacy Principles > Principle 7: Disclosure to Third Parties
Principle 7: Disclosure to Third Parties

The seventh principle of the Generally Accepted Privacy Principles (GAPP), Disclosure to Third Parties, requires that the entity disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual.

 

This fair information practice acknowledges the right of individuals to be notified that personal information may be disclosed to third parties and to voluntarily choose (opt in or opt out) whether such information will be disclosed to a third party or used for a purpose that is other than that described in the notice. A corresponding obligation is imposed on the entity to disclose personal information only to third parties who provide substantially equivalent protection to such personal information, and do so according to the specific notice and choice practices disclosed to the individual.

 

Further transfers of the personal information by the third party should be permitted only where the transfer is also subject to practices affording an adequate level of protection. Specifically, the criteria outlined in GAPP indicate that an entity should do the following:

  • Design privacy policies that address the disclosure of personal information to third parties (see Criterion 7.1.0).

  • Communicate to individuals that personal information is disclosed to third parties only for the purposes identified in the notice. Only information for which the individual has provided consent will be disclosed, unless a law or regulation specifically allows or requires otherwise, and disclosure includes any limitation on the third party's privacy practices and controls (see Criterion 7.1.1).

  • Communicate the privacy policies to third parties to whom personal information is disclosed (see Criterion 7.1.2).

  • Design procedures and controls to ensure that personal information is disclosed only for the purposes described in the notice, and only information for which the individual has provided consent will be disclosed, unless a law or regulation specifically allows or requires otherwise (see Criterion 7.2.1).

  • Design procedures and controls to ensure that personal information is disclosed only to third parties that have agreements with the entity to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction (see Criterion 7.2.2).

  • Design procedures and controls to ensure that personal information is disclosed to third parties for new purposes or uses only with the prior consent of the individual (see Criterion 7.2.3).

  • Design procedures and controls to ensure that the entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information (see Criterion 7.2.4).

In addition, personal information may be disclosed without the individual's knowledge or consent:

 

  • To a lawyer representing the entity
  • To collect a debt the individual owes to the entity
  • To comply with a law, a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction
  • To a government institution requesting the information under lawful authority and indicating that disclosure is for the purpose of:
      • Enforcing, carrying out an investigation or gathering intelligence relating to any federal, state, or foreign law
      • National security or the conduct of international affairs
      • Administering any federal or state law
  • If made by an investigative body for the purposes related to the investigation of a breach of an agreement or a contravention of a federal or state law
  • In an emergency threatening an individual's life, health, or security
  • For statistical purposes, scholarly study, or research, or to an archival institution
  • Twenty years after the individual's death or 100 years after the record was created
  • If publicly available 

Examples of related risks: An entity that passes data on to a third party that has substantially inferior privacy policies may risk alienating its customers if the information is not properly treated and results in a negative event, such as identity theft.

 

Download the Disclosure to Third Parties Principle criteria table
Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York.