Establishing an annual privacy risk assessment process toidentify new or changed risks to personal information isa key enhancement to Generally Accepted Privacy Principles (GAPP). GAPP is an internationally recognized privacy framework developed by the American Institute of CertifiedPublic Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).


“An annual risk assessment is critical to understandingthe privacy risks within an organization,” said Everett C.Johnson, CPA, chair of the AICPA/CICA Privacy Task Force and a past international president of ISACA. “Once those risks are identified and assessed, the organization can then take the appropriate steps to address those risks. We’ve updated the criteria of our privacy principles to mitigate the risks to personal information.”


Generally Accepted Privacy Principles
, last updated in 2006, aredesigned to help an organization’smanagement develop a program that addresses their privacy obligations and risks and to assist them with assessing their existing privacy program. It is also the basis for a privacy audit that can be performed by a Certified Public Accountant or Chartered Accountant.

GAPP incorporates concepts from local, national, and international laws, regulations, guidelines, and other bodies of knowledge on privacy into a single privacy

objective. This objective is supported by 10 privacy principles:


1. Management
– The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.


2. Notice
– The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.


3. Choice and consent
– The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.


4. Collection
– The entity collects personal information only for the purposes identified in the notice.


5. Use, retention, and disposal
– The entity limits the use of personal information to the purposes identified in thenotice and for which the individual hasprovided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill thestated purposes or as required by law or regulations, and thereafter appropriately disposes of such information.


6. Access
– The entity provides individuals with access to their personal information for review and update.


7. Disclosure to third parties
– Theentity discloses personal information tothird parties only for the purposes identifiedin the notice and with the implicit or explicit consent of the individual.


8. Security for privacy
– The entity protects personal information against unauthorized access (both physical and logical).


9. Quality
– The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.


10. Monitoring and enforcement
– The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.


Each principle is supported by objective, measurable criteria for handling personal information throughout an organization. Together, this set of privacy principles and related criteria are useful to those who:


  • oversee and monitor privacy and security programs;

  • implement and manage privacy and security;

  • oversee and manage risks and compliance;

  • assess compliance and audit privacy and security programs; regulate privacy.


The changes, which include eight new criteria (now more than 70 in total) and the modification of two others, were the result of deliberations and consideration given to comments received from the public in response to the exposure draft that was released in March 2009.


“Safeguarding personal information is one of the most challenging responsibilities an organization has, whether it’s information pertaining to employees or customers,” said Johnson. “We’ve updated the criteria of our privacy principles to minimize the risks to personal information. We have enhanced the guidance on security, breach response, and employee-related matters, along with disposal and destruction of personal information.”


The following is a summary of the new criteria:


Personal Information Identification and Classification (1.2.3)
– The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such informationare identified. Such information is covered by the entity’s privacy and related security policies and procedures.


This may include having an information-classification process that identifies and classifies information into categories such as business confidential, personal information, business general, and public.


Risk Assessment (1.2.4)
– A risk assessment process is used to establish a risk baseline and to, at least annually, identify new or changed risks to personal information and develop and update responses to such risks.


Risks may be external (such as loss of information by vendors or failure to comply with regulatory requirements) orinternal (such as e-mailing unprotected sensitive information). Ideally, the privacy risk assessment should be integrated with the security risk assessment and be a part of the entity’s overall enterprise risk management program. The AICPA and CICA have developed a Privacy Risk Assessment Tool that organizations may find useful.


Privacy Incident and Breach (1.2.7)
– A privacy incident and breach management program has been documented and implemented. It includes, but is not limited to, the following:


  • procedures for the identification, management, and resolution of privacy incidents and breaches;

  • defined responsibilities;

  • a process to identify incident severity and determine required actions and escalation procedures;

  • a process for complying with breach laws and regulations, including stakeholders breach notification, if required;

  • an accountability process for employees or third parties responsible for incidents or breaches with remediation, penalties, or discipline as appropriate;

  • a process for periodic review of actual incidents to identify necessary program updates;

  • periodic testing or walkthrough process and associated program remediation as needed.


Privacy Awareness and Training (1.2.10)
– A privacy awareness program about the entity’s privacy policies andrelated matters, and specific training for selected personnel depending on their roles and responsibilities, are provided.


“Ensuring that employees are educated about privacy will help prevent privacybreaches, improve customer service, and demonstrate the organization’s commitment to sound business practices,” explains Donald Sheehy, CA•CISA, CIPP/C, associate partner with Deloitte (Canada) and a Canadian member of the AICPA/CICA Privacy Task Force.


Information Developed about Individuals (4.2.4)
– Individuals are informed if the entity develops or acquires additional information about them for its use. Such information may be obtained or developed from third-party sources, browsing, and credit/purchasing history.


Disposal, Destruction and Redaction of Personal Information (5.2.3)
– Personal information no longer retained is made anonymous, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. This can include the removal or redaction of specified personal information about an individual, such as removing credit card numbers after the transaction is complete and using companies that provide secure destruction services.


Personal Information on Portable Media (8.2.6)
– Personal information stored on portable media or devices is protected from unauthorized access.


Policies and procedures prohibit the storage of personal information on portable media or devices unless a business need exists and such storage is approved by management. Such information is encrypted, password protected, physically protected, and subject to the entity’s access, retention, and destruction policies. Upon termination of employees or contractors, procedures provide for the return or destruction of portable media and devices used to access and store personal information, and printed and other copies of such information.


“Portable devices such as laptops and memory sticks provide convenience to employees, but appropriate measures must be put in place to properly secure them and the data they contain,” related Sheehy. “We must stay abreast of technological advances to ensure that proper measures are put into place to defend against any new threats.”


Ongoing Monitoring (10.2.5)
– Ongoing procedures are performed for monitoring the effectiveness of controls over personal information based on a risk assessment and for taking timely corrective actions where necessary. An example of a control would be reviewing employee files to seek evidence of course training in compliance with policies that require all employees take initial privacy training within 30 days of employment.


Other changes to GAPP include restricting the use of personal information in process and systems testing, references to ISO 27002, and revised language for auditors to use when preparing reports on a privacy audit.


Several organizations worked in conjunction with the AICPA and CICA on GAPP, including ISACA and the Institute of Internal Auditors. Copies of GAPP, along with additional privacy resources, are available at
and
.