The eighth principle of the Generally Accepted Privacy Principles (GAPP), Security for Privacy, requires that the entity protect personal information against unauthorized access (both physical and logical).
This fair information practice acknowledges that entities creating, maintaining, using, or disseminating personal information should take reasonable precautions to protect them from loss, misuse, unauthorized access, disclosure, alteration, and destruction. In this regard, personal information should be protected by safeguards (physical, organizational, and technological measures) that are appropriate to the sensitivity of the information[i]. Specifically, the criteria outlined in GAPP indicate that an entity should do the following:
· Design privacy policies that address the security of personal information (see Criterion 8.1.0)
· Communicate to individuals the precautions that are taken to protect personal information (see Criterion 8.1.1)
· Design procedures and controls that ensure that a security program has been developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction (see Criterion 8.2.1)
· Design procedures and controls to ensure that logical access to personal information is appropriately restricted (see Criterion 8.2.2)
· Design procedures and controls to ensure that physical access to personal information in any form is appropriately restricted (see Criterion 8.2.3)
· Design procedures and controls to ensure that personal information, in all forms, is protected against accidental disclosure due to natural disasters and environmental hazards (see Criterion 8.2.4)
· Design procedures and controls to ensure that personal information is protected when transmitted by mail or other physical means. Personal information collected and transmitted over the Internet, over public and other nonsecure networks and wireless networks by deploying industry-standard encryption technology for transferring and receiving personal information (see Criterion 8.2.5)
· Design procedures and controls to ensure that personal information stored on portable media or devices is protected from unauthorized access (see Criterion 8.2.6); and
· Design procedures and controls to ensure that tests of the effectiveness of the key administrative, technical, and physical safeguards protecting personal information are conducted at least annually (see Criterion 8.2.7).
Examples of related risks: If appropriate security measures are not in place, unauthorized parties may be able to access and use, copy, disclose, alter, or destroy personal information. Significant harm could be done to individuals whose personal information is compromised, and the entity responsible for protecting that information could be held liable. Therefore, the more sensitive the personal information (for example, financial or medical data), the greater the potential harm and the need for increased security.