|
About Fair Information Practices
Management
Notice
Choice and Consent
Collection
Use and Retention
Access
Disclosure
Security
Quality
Monitoring and Enforcement
Online and Offline—It's Still Privacy
Providing Solutions to Today’s Privacy Issues
Privacy Versus Confidentiality?
About Fair Information Practices
Internationally recognized fair information practices have been developed by experts worldwide as models for protecting the privacy of personal information and managing privacy risk. At a minimum, fair information practices call for the following actions:
- Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
- Notice. The entity provides notice about its privacy policies and procedures and identifies the purpose for which personal information is collected, used, retained, and disclosed.
- Choice and Consent. The entity describes the choices available to individuals and obtains implicit or explicit consent from the individual with respect to the collection, use, disclosure, and retention of personal information.
- Collection. The entity collects personal information only for the purposes identified in the notice.
- Use and Retention. The entity limits the use of the personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary for the fulfillment of the stated purposes.
- Access. The entity provides individuals with access to their personal information for review and updates.
- Disclosure. The entity discloses personal information to third parties only for the purposes identified in the notice and with the individual’s implicit or explicit consent.
- Security. The entity protects personal information against unauthorized access (both physical and logical).
- Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
- Monitoring and Enforcement. The entity monitors compliance with its privacy policies and has procedures to address privacy-related inquiries and disputes.
The following guidance examines these ten fair information practices in terms of the rights of the individuals and the obligations of organizations. For each, the objectives and related risks are highlighted and specific privacy requirements are explained.
Back to top
Management
For a privacy regime to be appropriately established, an organization must have implemented a good management infrastructure, including a system of accountability, which supports its privacy strategy. This includes developing, communicating, and reviewing an appropriate and well-documented policy that addresses the other nine components.
Specifically, the criteria outlined in the privacy framework indicate that management should do the following:
· Design a privacy policy that defines and documents its privacy policies with respect to the other nine framework components.
· Communicates the privacy policies and consequences of noncompliance to internal personnel.
· Design a system of accountability by assigning a person or group to manage the privacy system.
· Design procedures and controls to:
o Periodically review and approve changes to the privacy policies and procedures.
o Ensure that the privacy system is in compliance with applicable laws and regulations and are reviewed periodically and revised when necessary.
o Ensure that the entity enters into commitments to and relationships with other businesses that are consistent with its own privacy policies and addresses any inconsistencies.
o Ensure that the appropriate privacy infrastructure is developed, implemented, and maintained.
o Ensure that the entity provides adequate resources to achieve the privacy objectives.
o Establish appropriate qualifications for personnel responsible for protecting the privacy and security of personal information.
· Design procedures and controls to monitor and assess any changes in business and regulatory environments that may affect the appropriateness of the existing privacy policies and procedures and make any necessary changes.
Various risks are associated with the failure to meet this component and related criteria.
Back to top
Notice
This fair information practice acknowledges that an organization should make specific information about its privacy policies and procedures readily available to individuals. An organization must ensure that individuals obtain the information they need to make informed decisions about their business relationship with the organization.
Various risks are associated with the failure to meet these objectives. For example, if an individual cannot readily determine an organization’s privacy policies, trust and confidence will be undermined, resulting in the denial of consent to use personal information for business purposes.
Notice requires that an organization openly communicate to both employees and customers their policies and procedures for the management of personal information. To meet their responsibilities, it is important for employees to be aware of and understand procedures for responding to individual inquiries, including those related to:
- The name and title of the person accountable for the organization’s privacy program
- The name, title, and address of the person to whom access requests should be sent
- How individuals can access their personal information
- How individuals can file a complaint with the organization
In addition, an organization should inform individuals why it is collecting information about them (e.g., to provide benefits to employees, open an account, verify creditworthiness, or process a subscription). An organization is not allowed to mislead individuals about the reasons for collecting personal information. Furthermore, individuals should be informed as to how to contact the organization regarding any inquiries or complaints; any third parties to which personal information may be disclosed; and the choices and means for limiting the collection, use, and disclosure of their personal information. Various risks are associated with the failure to meet these objectives. For example, misrepresenting the purpose for collecting personal information may give rise to charges of deceptive business practices.
Back to top
Choice and Consent
This fair information practice acknowledges the right of individuals to be provided with clear, conspicuous, readily available, and affordable mechanisms to exercise choice. An organization is obligated to inform and obtain permission from individuals before collecting or using their personal information for the purpose specified in the notice. If personal information is to be disclosed to a third party or used for a purpose other than that specified in the notice, individuals should be given the opportunity to voluntarily choose (opt-in or opt-out) whether or not to allow such disclosure or alternative use.
For sensitive personal information (e.g., information on medical or health conditions), individuals normally must give affirmative or explicit (opt-in) consent if their information is to be disclosed to a third party or used for a purpose other than for which it was originally collected or subsequently authorized by the individual. In any case, any information received from a third party, if the third party treats and identifies it as sensitive, should be treated by the organization as sensitive personal information.
Various risks are associated with the failure to meet these objectives. For example, an organization that fails to obtain consent from individuals before collecting, using, or disclosing their personal information may be subject to legal liability or sanctions, particularly if the obligation to seek consent is required by law. Furthermore, if consent is not obtained, or is obtained in ways inappropriate to the sensitivity of the personal information, the organization’s reputation may suffer, customer trust may be eroded, and customers may withdraw consent for the future use of their personal information. (There are some exceptions, however. Special cases are set out below with respect to situations in which an organization may collect, use, or disclose personal information without the knowledge or consent of an individual.)
Back to top
Collection
As a general rule, this fair information practice precludes an organization from collecting personal information indiscriminately. Various risks are associated with the failure to meet the objective. Gathering more information than necessary may expose the organization to greater liability and security risks. In addition, it may raise the administrative costs of collecting and retaining the data, and increase the risk of inappropriate use and disclosure.
There are some exceptions to the general rule. An organization may collect personal information without the knowledge or consent of an individual under any of the following circumstances:
· The collection is clearly in the interests of the individual and consent cannot be obtained in a timely way.
· It is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of federal or state laws.
· The collection is solely for journalistic, artistic or literary purposes.
· The information is publicly available.
Back to top
Use and Retention
As a general rule, this fair information practice precludes an organization from using personal information for other than the purposes specified in the notice, except with the explicit consent of the individual. It also precludes an organization from retaining personal information after the specified purposes are fulfilled.
Various risks are associated with the failure to meet the objectives. The unauthorized use of personal information can jeopardize customer trust and result in legal liability or sanctions. If a minimum retention period is not specified, personal information may be destroyed prematurely, making it unavailable for decision-making purposes. If a maximum retention period is not specified, personal information may become inaccurate over time. It may also be difficult to manage and increase the administrative costs of storing and archiving the data. The following are exceptions to the general rule whereby personal information may be used without an individual's knowledge or consent:
· The use is clearly in the individual's interest and consent is not available in a timely way.
· Knowledge and consent would compromise the availability or accuracy of the information, and collection was required to investigate a breach of an agreement or contravention of a federal or state law.
· The organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, state, or foreign law and the information is used for that investigation.
· An emergency threatens the individual's life, health, or security.
· The information is being collected for statistical or scholarly study or research.
· The information is publicly available.
Back to top
Access
This fair information practice acknowledges the right of individuals to access their personal information held by an organization and to be provided with the means to review, update, block the further use of, or permanently erase that information. A corresponding obligation is imposed on the organization to facilitate the individual’s access rights on request. There are exceptions if the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or if the rights of persons other than the individual would be violated. In such cases, the individual should be given an explanation of why he or she is being denied access.
Typically, a request should be in writing and an organization should provide assistance, as needed, in preparing the request. A fee may be charged by the organization only if it has informed the individual of the approximate cost and the individual does not withdraw the request. In addition, an organization should respond to a request with due diligence and, in any case, usually not later than 30 days after receiving the initial request.
An organization that responds within the time limit and refuses a request should inform the individual in writing of the refusal, setting out the reasons and any recourse available. An organization with personal information that is the subject of a request must also retain that information for as long as it is necessary to allow the individual to exhaust any recourse available.
In some situations, an organization may not be able to provide access to all the personal information it holds about an individual. The reasons for denying access should be provided to the individual, on request. Exceptions may include information that:
· Is prohibitively costly to provide.
· Contains references to other individuals.
· Cannot be disclosed for legal, security or commercial proprietary reasons.
· Is subject to attorney-client or litigation privilege.
In certain circumstances, a request for access can be legally denied, for example, giving an individual access to personal information that would reveal personal information about a third party. If that information is severable, the organization should delete the information about the third party before giving the individual access. This would not apply if the third party consents to the access or the individual needs that information because an individual’s life, health, or security is threatened.
Access to personal information may also be restricted because it relates to investigations of offences or national security, or as a result of any of the following:
· The information is protected by attorney-client privilege.
· To give access would reveal confidential commercial information.
· To give access could reasonably be expected to threaten the life or security of another individual.
· The information was collected with respect to investigating a breach of an agreement or a contravention of a law.
· The information was generated in the course of a formal dispute resolution process.
Back to top
Disclosure
As a general rule, this fair information practice acknowledges the right of individuals to be notified that personal information may be disclosed to third parties and to voluntarily choose (opt-in or opt-out) whether such information will be disclosed to a third party or used for a purpose that is other than that described in the notice, except as permitted by laws or regulations. A corresponding obligation is imposed on the organization to disclose personal information only to third parties who provide substantially equivalent protection to such personal information, and according to the specific notice and choice practices disclosed to the individual. Further transfers of the personal information by the third party should be permitted only if the transfer is also subject to practices affording an adequate level of protection.
Personal information may be disclosed without the individual's knowledge or consent to:
· Assist a lawyer representing the organization.
· Collect a debt the individual owes to the organization.
· Comply with a law, subpoena, warrant, or order made by a court or other body with appropriate jurisdiction.
· Assist a government institution requesting the information under lawful authority and indicating that disclosure is for the purpose of:
o Conducting an investigation, or gathering intelligence relating to any federal, state, local, or foreign law.
o Protecting national security or conducting international affairs.
o Administering any federal or state law.
· Assist an investigative body for the purposes related to the investigation of a breach of an agreement or a contravention of a federal, state, or local law.
· Resolve an emergency threatening an individual’s life, health, or security.
· Assist in the compilation of a statistical study, scholarly study research, or the work of an archival institution.
Back to top
Security
This fair information practice acknowledges that organizations creating, maintaining, using, or disseminating personal information should take reasonable precautions to protect it from loss, misuse, unauthorized access or disclosure, alteration, and destruction. Personal information should be protected by safeguards (physical, organizational, and technological measures) that are appropriate to the sensitivity and value of the information.1
Various risks are associated with the failure to meet these objectives. For example, if appropriate security measures are not in place, unauthorized parties may be able to access and use, copy, disclose, alter, or destroy personal information. Significant harm could be done to individuals whose personal information is compromised, and the organization responsible for protecting that information could be held liable. Therefore, the more sensitive the information (for example, financial or medical data), the greater the potential harm and the need for increased security.
Back to top
Quality
This fair information practice acknowledges that an organization should maintain accurate, complete, current, relevant, and reliable personal information for the purposes for which it is to be used. Personal information should be updated only when necessary to meet the identified purpose.
Various risks are associated with the failure to meet these objectives. For example, an individual might be harmed by the use or disclosure of inaccurate data. If an organization uses inaccurate or misleading personal information to make business decisions, customer relations may be jeopardized, resulting in lost profits and market share.
Back to top
Monitoring and Enforcement
This fair information practice acknowledges that an organization should be responsible for the protection of personal information. In this respect, an organization should designate one or more individuals who are accountable for the organization's compliance with its stated privacy policies and for procedures to address privacy-related inquiries and disputes. Therefore, a privacy officer should be appointed to oversee privacy compliance and to implement policies and procedures that apply to all personal information under the organization’s control, including transfers to third parties.
Various risks are associated with the failure to meet these objectives. For example, in the absence of an effective accountability regime, personal information may be mismonitored, resulting in potential damage to the organization’s reputation and business relationships. In addition, if an individual cannot readily determine an organization's privacy policies, or procedures for raising privacy-related inquiries, trust and confidence will be undermined, resulting in the denial of consent to use personal information for business purposes. Furthermore, the inability to satisfactorily respond to inquiries and complaints could lead to potential loss of business and have a negative effect on the organization’s compliance with pertinent privacy laws, regulations, and guidelines.
This fair information practice also acknowledges the right of individuals to challenge an organization's compliance with stated privacy policies and procedures. An organization is obliged to provide the means by which an individual can exercise that right. This includes explaining the organization’s procedures and the various avenues of recourse available to the individual. Accordingly, it is important that the privacy officer develop easily accessible complaint procedures and inform complainants of avenues of recourse, including those of industry associations and regulatory bodies. To meet these responsibilities, the privacy officer (or a designated employee) would investigate all complaints received, taking care to record the date a complaint is received and the nature of the complaint, and acknowledge receipt of the complaint promptly. If necessary, the individual would be contacted to clarify the complaint.
Normally, the investigation would be assigned to a person with the skills necessary to conduct it fairly and impartially, and the investigator would be given access to all relevant records, employees, or others who handled the personal information or access request. The investigator would notify the individual of the outcome of the investigation, explaining any relevant steps taken. Any inaccurate personal information would be corrected and/or policies and procedures would be modified based on the outcome of the investigation.
Various risks are associated with the failure to meet these objectives. For example, individuals may make inquiries or lodge complaints on personal information matters such as delays in responding to a request, incomplete or inaccurate responses, improper collection or use, and improper disclosure or retention of that information. If an organization does not have an effective process for addressing such inquiries and complaints, individuals will not be able to assess how well their personal information is managed. This could destroy customer confidence, resulting in customer dissatisfaction and lost business.
Back to top
Online and Offline—It's Still Privacy
Since 1997, the concept of online privacy has been hotly debated by a slew of consumer privacy advocacy groups that were awakened by new threats from the then-nascent Internet. In the few short years since then, as Internet use has exploded exponentially, the Web has become more familiar to consumers. Consumer advocacy groups are on the front lines battling companies that have violated consumer privacy or followed poor Internet privacy practices. Businesses with an online presence are under close scrutiny by many organizations, including watchdogs, regulators, and legislators, following how they collect and use their customers' personal information.
WebTrust for Online Privacy was developed by the AICPA and CICA to meet a very specific need for e-commerce businesses. As organizations address personal information about their customers or employees, they need to consider all of the privacy issues surrounding that information. Many organizations have turned to the accounting profession for privacy solutions. They are looking for help in developing good privacy practices throughout the organization and demonstrating to their customers that they manage personal information properly.
The business community is now asking for something broader in scope than just online privacy guidelines—they are looking for total, enterprise-wide privacy solutions. As the global economy evolves and information flows become borderless, organizations need solutions to help them manage those information flows effectively.
The goal is to have an integrated privacy program, instead of separate privacy policies and procedures for the Privacy Act of 1974, the GLBA or the HIPPA, and for online and offline. Clearly, it is in the public interest to have comprehensive privacy practices. It also is in the best interest of every organization that interacts with the public.
Back to top
Providing Solutions to Today's Privacy Issues
Most organizations recognize that good privacy practices are central to corporate governance and accountability. It is acknowledged, however, that some organizations will do the minimum required to protect personal information and still comply with the law. Some can be coaxed to "do the right thing" and protect the privacy of their customers. Many others will see how privacy can be used as a competitive advantage. Whatever the motivation, businesses are looking for guidance and assistance in managing privacy risk. Each of these scenarios includes the CPA/CA, a trusted business adviser who is skilled at examining management information systems and adept at identifying the controls needed to effectively manage risk.2
Many members of the accounting profession are actively helping businesses develop and implement sound privacy programs. Building on this expertise, the AICPA and the CICA jointly established an Enterprise-Wide Privacy Task Force comprising a cross section of the accounting profession, including industry, large multinational firms, and small CPA/CA firms, as well as members in academia and the legal profession. Its mission is to examine the role CPAs/CAs can play in advising organizations about privacy issues and risks, and to develop a privacy framework that will serve as a benchmark for good privacy practices.
The Privacy Task Force has since developed a Privacy Framework that can be used by all CPAs/CAs (both in industry and in public practice) to guide and assist the organizations they serve in implementing privacy programs using a standard set of privacy best practices. This framework incorporates concepts from all significant domestic and international privacy laws, regulations, and guidelines. It is the intellectual capital and body of knowledge around which all other privacy advisory and assurance services can be built.
Research shows that many CPAs/CAs possess the skills necessary to implement effective privacy programs in any organization—no matter how big or small. They understand business processes, how information flows within an organization, and how to design privacy programs. Through a wide range of advisory and assurance services, CPAs/CAs have an opportunity to help businesses navigate the patchwork of privacy laws, regulations, and guidelines and focus on the heart of the matter—building trust between customers and businesses and "doing the right thing" by following good privacy practices.
CPAs/CAs in public practice will be able to offer clients a full range of services, including privacy strategic and business planning, privacy gap and risk analysis, benchmarking, privacy policy design and implementation, performance measurement, and independent verification of privacy controls. CPAs/CAs in industry can enhance their value to their employers through performing internal assessments against something they can measure—the AICPA/CICA Privacy Framework.
Back to top
Privacy Versus Confidentiality?
Privacy, as defined by laws and regulations, is about individuals having control over the collection, use, disclosure, and retention of their personal information. Unlike privacy, there is no widely accepted definition of confidentiality but, in most cases, it is about keeping business information from being disclosed to unauthorized parties, and it is usually driven by agreements or contractual arrangements.
Back to top
. A study by the NFIB Research Foundation, National Small Business Poll—Advice and Advisors, found that 74 percent of owners employing 20 or more people sought advice from their accountant and 83 percent took that advice.
|