adam's notes

Generally Accepted Privacy Principles (GAPP)

Generally accepted privacy principles (GAPP) outline 10 components of data privacy used to help organizations design their own privacy programs.

  • developed by:
    • American Institute of Certified Public Accountants (AICPA)
    • Canadian Institute of Chartered Accountants (CICA)
    • Information Systems Audit and Control Association (ISACA)
    • Institute of Internal Auditors (IAI)

Principles

  1. Management
    • Organizations handling private information should have policies, procedures, and governance structures in place to protect privacy
    • clearly defined roles of data owner, data steward, and data custodian
  2. Notice
    • Data subjects should receive notice that their information is being collected and used, as well as access to the privacy policies and procedures followed by the organization
  3. Choice and Consent
    • The organization should inform data subjects of their options regarding the data they own and get consent from those individuals for the collection storage, use, and sharing of that information
  4. Collection
    • The organization should only collect personal information for purposes disclosed in their privacy notices
  5. Use, Retention, and Disposal
    • Organizations should only collect and use personal information for disclosed purposes, and they should dispose of the data securely as soon as it is no longer needed for the disclosed purpose
  6. Access
    • Organizations should provide data subjects with the ability to review and update their personal information
  7. Disclosure to Third Parties
    • Organizations should only share information with third parties if that information is consistent with the purposes disclosed in privacy notices and they have the consent of the individual to share that information
  8. Security for Privacy
    • The organization must secure private information against unauthorized access, either physically or logically
  9. Quality
    • The organization should take reasonable steps to ensure that the private information they maintain is accurate, complete, and relevant
  10. Monitoring and Enforcement
    • The organization should have a program in place to monitor compliance with its privacy policies and provide a dispute resolution mechanism

Management

“The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.”

  • lists a set of criteria that orgs should follow to establish control over the management of their privacy programs:
    • Creating written privacy policies and communicating those policies to personnel
    • Assigning responsibility and accountability for those policies to a person or team
    • Establishing procedures for the review and approval of privacy policies and changes
    • Ensuring privacy policies are consistent with applicable laws and regulations
    • Performing privacy risk assessments on a least an annual basis
    • Ensuring that contractual obligations to customers, vendors, and partners are consistent with privacy policies
    • Assessing privacy risks when implementing or changing technology infrastructure
    • Creating and maintaining a privacy incident management process
    • Conducting privacy awareness and training and establishing qualifications for employees with privacy responsibilities

Notice

  • requires organizations to inform individuals about their privacy practices
  • defines notice as

“The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.”

  • criteria:
    • Include notice practices in the organization’s privacy policy
    • Notifying individuals about the purpose of collecting personal information and the organization’s policies surrounding the other GAPP principles
    • Providing notice to individuals
      • at the time of data collection
      • when policies and procedures change
      • when the organization intends to use information for new purposes not disclosed in earlier notices
    • Writing privacy notices in plain and simple language and posting them conspicuously

Choice and consent allows individuals to retain control over he use of their personal information.

  • defined as

“The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.”

  • Criteria:
    • Include choice and consent practices in the organization’s privacy policy
    • Informing individuals about the choice and consent options available to them and the consequences of refusing to provide personal information or withdrawing consent
    • Obtaining implicit or explicit consent at or before the time that personal information is collected
    • Notifying individuals of proposed new uses for previously collected information and obtaining additional consent for those new uses
    • Obtaining direct explicit consent from individuals when the organization collects, uses, or discloses sensitive personal information
    • Obtaining consent before transferring personal information to or from an individual’s computer or device

Collection

Collection governs the ways organizations come into the possession of personal information

  • defined as

“The entity collects personal information only for the purposes identified in the notice.”

  • criteria:
    • Include collection practices in privacy policies
    • Inform individuals that their personal information will only be collected for identified purposes
    • Include details on the methods used to collect data and the types of data collected in the organization’s privacy notice
    • Collect information using fair and lawful means and only for the purpose identified in the privacy notice
    • Confirm that any third parties who provide the organization with personal information have collected it fairly and lawfully and that the information is reliable
    • Inform individuals if the organization obtains additional information about them

Use, Retention, and Disposal

  • defined as

“The entity limits use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The Entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.”

  • criteria:
    • Include collection practices in privacy policies
    • Inform individuals that their personal information will only be used for disclosed purposes for which the organization has obtained consent and then abiding by that statement
    • Inform individuals that their data will be retained for no longer than necessary and then abiding by that statement
    • Inform individuals that info that is no longer needed will be disposed of securely and abiding by that statement

Access

  • defines access as

“The entity provides individuals with access to their personal information for review and update.”

  • criteria
    • Include practices around access to personal info in the privacy policy
    • Inform individuals about the procedures for reviewing, updating, and correcting their personal information
    • Provide individuals with a mechanism to determine whether the organization maintains personal info about them and to review such info
    • Authenticate an individuals identity before providing them with access to personal information
    • Provide access to information in an understandable format within a reasonable period of time and either for a reasonable charge that is based on the org’s actual cost or at no cost
    • Inform individuals in writing why any requests to access or update personal information were denied and informing them of any appeal rights they may have
    • Provide mechanism for individuals to update or correct personal information and providing that updated information to third parties who receive it from the organization

Disclosure to Third Parties

  • defines the disclosure to third parties principle as follows:

“The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.”

  • criteria
    • Including third-party disclosure practices in the organization’s privacy policies
    • Informing individuals of any third-party disclosures that take place and the purpose of those disclosures
    • Informing third parties who receive personal information from the organization that they must comply with the organization’s privacy policy and handling practices
    • Disclosing personal information to third parties without notice or for purposes other than those disclosed in the notice only when required to do so by law
    • Disclosing information to third parties only under the auspices of an agreement that the third party will protect the information consistent with the organization’s privacy policy
    • Implementing procedures designed to verify that the privacy controls of third parties receiving personal information from the organization are functioning effectively
    • Taking remedial action when the organization learns that a third party has mishandled personal information shared by the organization

Security for Privacy

  • defines security for privacy as:

“The entity protects personal information against unauthorized access (both physical and logical).”

  • criteria:
    • Include security practices in privacy policies
    • Inform individuals that the org takes precautions to protect the privacy of their personal information
    • Develop, document, and implement and information security program that addresses the major privacy-related areas of security listed in ISO 27002:
      • Risk assessment and treatment
      • Security policy
      • Organization of information security
      • Asset management
      • Humans resources security
      • Physical and environmental security
      • Communications and operations management
      • Access control
      • Information systems acquisition, development, and maintenance
      • Information security incident management
      • Business continuity management
      • Compliance

Quality

  • quality principle states

“The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.”

  • criteria
    • Include data quality practices in privacy policies
    • Inform individuals that bear responsibility for providing the org with accurate and complete personal information and inform the org if corrections are required
    • Maintain personal information that is accurate, complete, and relevant for the purposes for which it will be used

Monitoring and Enforcement

  • monitoring and enforcement principle states:

“The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related inquiries, complaints, and disputes.”

  • criteria
    • Including monitoring and enforcement practices in the organization’s privacy policies
    • Informing individuals about how they should contact the organization if they have questions, complaints, or disputes regarding privacy practices
    • Maintaining a dispute resolution process that ensures that every complaint is addressed and that the individual who raised the complaint is provided with a documented response
    • Reviewing compliance with privacy policies, procedures, laws, regulations, and contractual obligations on an annual basis
    • Developing and implementing remediation plans for any issues identified during privacy compliance reviews
    • Documenting cases where privacy policies were violated and taking any necessary corrective action
    • Performing ongoing monitoring of the privacy program based on a risk assessment

Graph View

Backlinks