|
Overall Privacy Objective
Generally Accepted Privacy Principles
Using GAPP
GAPP is designed to assist management in creating an effective privacy program that addresses their privacy obligations, risks, and business opportunities.
The privacy principles and criteria are founded on key concepts from significant local, national, and international privacy laws, regulations, guidelines,[i] and good business practices. By using GAPP, organizations can proactively address the significant challenges that they face in establishing and managing their privacy programs and risks from a business perspective. GAPP also facilitates the management of privacy risk on a multijurisdictional basis.
The privacy principles and criteria are founded on the following privacy objective.
Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA.
Back to top
Generally Accepted Privacy Principles
The privacy principles are essential to the proper protection and management of personal information. They are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and recognized good privacy practices.
The following are the 10 generally accepted privacy principles:
1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.
For each of the 10 privacy principles, relevant, objective, complete, and measurable criteria have been specified to guide the development and evaluation of an entity’s privacy policies, communications, and procedures and controls. Privacy policies are written statements that convey management’s intent, objectives, requirements, responsibilities, and standards. Communications refers to the organization’s communication to individuals, internal personnel, and third parties about its privacy notice and its commitments therein and other relevant information. Procedures and controls are the other actions the organization takes to achieve the criteria.
Back to top
Using GAPP
GAPP can be used by organizations for the following:
- Designing, implementing, and communicating privacy policy
- Establishing and managing privacy programs
- Monitoring and auditing privacy programs
- Measuring performance and benchmarking
Establishing and managing a privacy program involves the following activities:
Strategizing. Performing privacy strategic and business planning.
Diagnosing. Performing privacy gap and risk analyses.
Implementing. Developing, documenting, introducing, and institutionalizing the program’s action plan, including establishing controls over personal information.
Sustaining and managing. Monitoring activities of a privacy program.
Auditing. Internal or external auditors evaluating the organization’s privacy program.
The following table summarizes and illustrates how GAPP can be used by an organization to address these business activities.
|
Activity |
General Discussion |
Potential use of GENERALLY ACCEPTED PRIVACY PRINCIPLES |
|
Strategizing |
Vision. An entity’s strategy is concerned with its long-term direction and prosperity. The vision identifies the entity’s culture and helps shape and determine how the entity will interact with its external environment, including customers, competitors, and legal, social, and ethical issues.
Strategic Planning. This is an entity’s overall master plan, encompassing its strategic direction. Its objective is to ensure that the entity’s efforts are all headed in a common direction. The strategic plan identifies the entity’s long-term goals and major issues for becoming privacy compliant.
Resource Allocation. This step identifies the human, financial, and other resources allocated to achieve the goals and objectives set forth in the strategic plan or business plan.
|
Vision. Within an entity’s privacy effort, establishing the vision helps the entity integrate preferences and prioritize goals.
Strategic Planning. Within an entity’s privacy effort, Generally Accepted Privacy Principles (GAPP) can be used to assist the organization in identifying significant components that need to be addressed.
Resource Allocation. Using GAPP, the entity would identify the people working with and responsible for areas that might include systems management, privacy and security concerns, and stipulate the resourcing for their activities.
Overall Strategy. A strategic document describes expected or intended future development. GAPP can assist an entity in clarifying plans for the systems under consideration or for the business’s privacy objectives. The plan identifies the process to achieve goals and milestones. It also provides a mechanism to communicate critical implementation elements, including details on services, budgets, development costs, promotion, and privacy advertising.
|
|
Diagnosing |
This stage, often referred to as the assessment phase, encompasses a thorough analysis of the entity’s environment, identifying opportunities where weaknesses, vulnerability, and threats exist. The most common initial project for an organization is a diagnostic assessment. The purpose of such an assessment is to evaluate the entity against its privacy goals and objectives and determine to what extent the organization is achieving those goals and objectives. |
GAPP can assist the entity in understanding its high-level risks, opportunities, needs, privacy policy and practices, competitive pressures, and the requirements of the relevant laws and regulations to which the entity is subject.
GAPP provides a legislative neutral benchmark to allow the entity to assess the current state of privacy against the desired state.
|
|
Implementing |
At this point, an action plan is mobilized or a diagnostic recommendation is put into effect, or both. Implementing involves developing and documenting a privacy program and action plan and the execution of all planned and other tasks necessary to make the action plan operational. It includes defining who will perform what tasks, assigning responsibilities, and establishing schedules and milestones. This involves the planning and implementation of a series of planned projects to provide guidance, direction, methodology, and tools to the organization in developing its initiatives.
|
GAPP can assist the entity in meeting its implementation goals. At the completion of the implementation phase, the entity should have developed the following deliverables:
· Systems, procedures, and processes to address the privacy requirements
· Updated privacy compliant forms, brochures, and contracts
· Internal and external privacy awareness programs
|
|
Sustaining and
managing |
Sustaining and managing involves monitoring the work to identify how progress differs from the action plan in time to initiate corrective action. Monitoring refers to the management policies, processes, and supporting technology to ensure compliance with organizational privacy policies and procedures and the ability to exhibit due diligence. |
The entity can use GAPP to develop appropriate reporting criteria for monitoring requests for information, the sources used to compile the information and the information actually disclosed. It can also be used for determining validation procedures to ensure that the parties to whom the information was disclosed are entitled to receive that information.
|
|
Internal privacy audit |
Internal auditors provide objective assurance and consulting services designed to add value and improve an entity's operations. They help an entity accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. |
Internal auditors can evaluate an entity’s privacy program and controls using GAPP as a benchmark and provide useful information and reporting to management.
|
|
External privacy audit |
External auditors, notably certified public accountants (CPAs) and chartered accountants (CAs), can perform attestation and assurance services. Generally, these services, whether performed on financial and nonfinancial information, build trust and confidence for individuals, management, customers, business partners, and other users.
|
An external auditor can evaluate an entity’s privacy program and controls in accordance with GAPP and provide reports useful to individuals, management, customers, business partners, and other users. |
Back to top
|