An Executive Overview of GAPP. Generally Accepted Privacy Principles

Similar documents
Generally Accepted Privacy Principles. August 2009

Privacy Risk Assessments

HIPAA Compliance and Reporting Requirements

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Privacy Policy. February, 2015 Page: 1

Guidelines on Data Protection. Draft. Version 3.1. Published by

The potential legal consequences of a personal data breach

Data Compliance. And. Your Obligations

Information Governance Policy

Corporate Policy. Data Protection for Data of Customers & Partners.

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

How To Protect Your Privacy Online From Your Company Or Affiliates

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

AlixPartners, LLP. General Data Protection Statement

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

HIPAA PRIVACY AND SECURITY AWARENESS

PRIVACY BREACH MANAGEMENT POLICY

Data Protection Policy

Data Protection Policy.

Cyber Threats: Exposures and Breach Costs

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Vendor Management Best Practices

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Privacy Law Basics and Best Practices

Credit Union Code for the Protection of Personal Information

University of Limerick Data Protection Compliance Regulations June 2015

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Merthyr Tydfil County Borough Council. Data Protection Policy

Information for Management of a Service Organization

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Privacy Policy. Board for Lutheran Education Australia. Policy. Purpose. Exclusion

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

3. Consent for the Collection, Use or Disclosure of Personal Information

DATA PROTECTION POLICY

ATMD Bird & Bird. Singapore Personal Data Protection Policy

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION

Data Protection for the Guidance Counsellor. Issues To Plan For

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

PRIVACY POLICY Personal information and sensitive information Information we request from you

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Acceptable Use Policy

Standards of. Conduct. Important Phone Number for Reporting Violations

A Privacy and Data Security Checklist for All

Data Security and Extranet

Standard. Information Security - Information Classification. Jethro Perkins. Information Security Manager. Page 1 of 12

Data security: A growing liability threat

Applying LT Auditor+ to Address Regulatory Compliance Issues

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Information Privacy Policy

How To Protect Your Data In European Law

Personal Health Information Privacy Policy

Disclosure is the action of making new or secret information known.

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

Credit Union Liability with Third-Party Processors

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

Texas Medical Records Privacy Act

Data protection policy

FINAL May Guideline on Security Systems for Safeguarding Customer Information

DATA PROTECTION POLICY

on the transfer of personal data from the European Union

The supplier shall have appropriate policies and procedures in place to ensure compliance with

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

DATA PROTECTION LAWS OF THE WORLD. India

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

005ASubmission to the Serious Data Breach Notification Consultation

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Securing Critical Information Assets: A Business Case for Managed Security Services

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

A Best Practice Guide

BLUE BADGE INSURANCE PTY LTD BLUE BADGE COMMUNITY AUSTRALIA PTY LTD PRIVACY POLICY

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

BBB Wise Giving Alliance & The International Committee of Fundraising Organizations Advancing Trust in the Charitable Sector Federal Trade

Whitepaper. Implications of Federal Privacy Reforms for Federal Government Agencies. Date Released: 1 August 2013

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

To the extent the federal government determines that it will directly operate prescription

M E M O R A N D U M. Definitions

HIPAA Security Rule Compliance

STATEMENT FROM THE CHAIRMAN

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

Clinical Solutions. 2 Hour CEU

Cyber-insurance: Understanding Your Risks

Managing General Agents (MGAs) Guideline

Data Protection and Data security Policy

Transcription:

An Executive Overview of GAPP Generally Accepted Privacy Principles

Current Environment One of today s key business imperatives is maintaining the privacy of your customers personal information. As business systems and processes become increasingly complex and sophisticated, growing amounts of personal information are being collected. As a result, personal information may be exposed to a variety of vulnerabilities, including loss, misuse and unauthorized access and disclosure. Those vulnerabilities raise concerns for organizations, the government and the public in general. Maintaining the privacy and protection of customers and employees personal information is a risk management issue for all organizations. Research continues to show that customers have widespread distrust of many organizations business practices, including how they collect, use and retain personal information. The increase in identity theft is a concern for all organizations. Laws and regulations continue to place requirements on businesses for the protection of personal information. Federal legislation mandates the protection and privacy of personal information for customers, clients and patients. In the health care industry, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to follow or address certain information security practices. The financial services industry has standards introduced by the Gramm-Leach-Bliley Act (GLBA). Individual states have also asserted their prerogatives in the absence of certain national privacy laws. For example, an issue active for several years and vastly accelerated in 2005 is regulation by states when data security breaches involve personal information. 45 states currently have security breach laws, and Congress continues to investigate. A national law has yet to evolve, with the ultimate scope of such a potential law remaining unknown. Generally Accepted Privacy Principles (GAPP) have been developed from a business perspective, referencing some, but by no means all, significant local, national and international privacy regulations. GAPP operationalizes complex privacy requirements into a single privacy objective that is supported by 10 privacy principles. Each principle is supported by objective, measurable criteria that form the basis for effective management of privacy risk and compliance in an organization. Illustrative policy requirements, communications and controls, including monitoring controls, are provided as support for the criteria. This document sets out to describe the privacy principles that can be used by any organization as part of its privacy program. GAPP has been developed to help management create an effective privacy program that addresses privacy risks and obligations and business opportunities. 1

This introduction and the set of privacy principles and related criteria will be useful to those who: Oversee and monitor privacy and security programs Implement and manage privacy in an organization Implement and manage security in an organization Oversee and manage risks and compliance in an organization Assess compliance and audit privacy and security programs Regulate privacy What Is Privacy? Privacy is defined in Generally Accepted Privacy Principles as the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure and disposal of personal information. Personal Information Personal information (sometimes referred to as personally identifiable information) is information that is about, or can be related to, an identifiable individual. Individuals, for this purpose, include prospective, current and former customers, employees and others with whom the entity has a relationship. Most information collected by an organization about an individual is likely to be considered personal information if it can be attributed to an identified individual. Some examples of personal information are as follows: Name Home or email address Identification number (for example, a Social Security or Social Insurance number) Physical characteristics Consumer purchase history 2

Some personal information is considered sensitive. Some laws and regulations define the following to be sensitive personal information: Information on medical or health conditions Financial information Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Sexual preferences Information related to offenses or criminal convictions Sensitive personal information generally requires an extra level of protection and a higher duty of care. For example, some jurisdictions may require explicit consent rather than implicit consent for the collection and use of sensitive information. Some information about or related to people cannot be associated with specific individuals. Such information is referred to as nonpersonal information. This includes statistical or summarized personal information for which the identity of the individual is unknown or linkage to the individual has been removed. In such cases, the individual s identity cannot be determined from the information that remains, because the information is deidentified or anonymized. Nonpersonal information ordinarily is not subject to privacy protection because it cannot be linked to an individual. However, some organizations may still have obligations over nonpersonal information due to other regulations and agreements (for example, clinical research and market research). 3

Privacy or Confidentiality? Unlike personal information, which is often defined by law or regulation, no single definition of confidential information exists that is widely recognized. In the course of communicating and transacting business, partners often exchange information or data that one or the other party requires be maintained on a need-to-know basis. Examples of information that may be subject to a confidentiality requirement include the following: Transaction details Engineering drawings Business plans Banking information about businesses Inventory availability Bid or ask prices Price lists Legal documents Revenue by client and industry Also, unlike personal information, rights of access to confidential information to ensure accuracy and completeness are not clearly defined. As a result, interpretations of what is considered confidential information can vary significantly from organization to organization and, in most cases, are driven by contractual arrangements. Why Privacy Is a Business Issue Good privacy is good business. Good privacy practices are a key part of corporate governance and accountability. One of today s key business imperatives is maintaining the privacy of personal information. As business systems and processes become increasingly complex and sophisticated, organizations are collecting growing amounts of personal information. As a result, personal information is vulnerable to a variety of risks, including loss, misuse, unauthorized access and unauthorized disclosure. Those vulnerabilities raise concerns for organizations, governments and the public in general. 4

Organizations are trying to strike a balance between proper collection and use of their customers personal information. Governments are trying to protect the public interest and at the same time, manage their cache of personal information gathered from citizens. Consumers are very concerned about their personal information, and many believe they have lost control of it. Furthermore, the public has a significant concern about identity theft and inappropriate access to personal information, especially financial and medical records, and information about children. Individuals expect their privacy to be respected and personal information to be protected by the organizations with which they do business. They are no longer willing to overlook an organization s failure to protect their privacy. Therefore, all businesses need to effectively address privacy as a risk management issue. The following are specific risks of having inadequate privacy policies and procedures: Damage to the organization s reputation, brand or business relationships Legal liability and industry or regulatory sanctions Charges of deceptive business practices Customer or employee distrust Denial of consent by individuals to have their personal information used for business purposes Lost business and consequential reduction in revenue and market share Disruption of international business operations Liability resulting from identity theft Generally Accepted Privacy Principles Generally Accepted Privacy Principles as developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) form a comprehensive resource providing guidance on a number of areas related to privacy. The document, which can be found at aicpa.org/ privacy, offers excellent guidance on defining good privacy and security practices for personal information, organized into 10 principles. 5

The following are the 10 Generally Accepted Privacy Principles: 1. Management. The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures. 2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed. 3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information. 4. Collection. The entity collects personal information only for the purposes identified in the notice. 5. Use, retention and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulation and thereafter appropriately disposes of such information. 6. Access. The entity provides individuals with access to their personal information for review and update. 7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical). 9. Quality. The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice. 10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. 6

Privacy Risk Matrix The following table provides an overview of possible privacy risks to which your company may be exposed. Privacy Practice If then Management If you don t effectively manage your customers will your privacy program, take their business elsewhere. Notice If you do not provide your customer you may be in violation of GLBA. with your privacy notice, Choice and Consent If you do not provide your customer you may damage customer relations. with the ability to control when you collect, use and disclose their personal information, Collections If you collect more personal you may create a greater exposure information than necessary, for abuse of that information. Use, Retention and Disposal If you use the personal information you may lose customer trust. for purposes other than specified, Access If you don t give your customers... you run the risk of not having accurate access to their personal information, customer data. Disclosure to Third Parties If your third-party processor uses... your customer will still hold you the personal information of your accountable for improper use of that customers for purposes other than information. specified in your contract, Security for Privacy If you don t protect your customer s... you run the risk of a significant personal information, security breach. Quality If you don t maintain accurate your targeted marketing and customer data, sales may suffer. Monitoring and Enforcement If you don t effectively monitor your... you may be subject to fines and penalties. privacy practices, 7

A breach occurring in any one of these 10 principles may have a detrimental effect on your bottom line. Ignoring these issues only increases the risks to your organization. Businesses need to have sound privacy practices because they: Protect the entity s public image and brand Achieve a competitive advantage in the marketplace Meet the membership requirements of an industry association Efficiently manage personal information and, thereby, reduce administrative costs and avoid unnecessary financial costs, such as retrofitting information systems Enhance credibility and promote continued consumer confidence and goodwill All these reasons have one common denominator: Good privacy practices make good business sense. Generally Accepted Privacy Principles are designed to assist organizations in creating an effective privacy program that addresses their privacy risks and business opportunities. 8

For more information To learn more about privacy and how implementing new privacy measures can benefit your organization, please visit aicpa.org/privacy 10261-378

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information