Generally Accepted Privacy Principles (GAPP) « CIPP Guide https://www.cippguide.org/2010/07/01/generally-accepted-privacy-pri...

« Privacy Impact Assessments CSA Model Code »

Generally Accepted Privacy Principles (GAPP)

Professional accountant institutions in the United States and Canada collaborated to publish a document describing the Generally
Accepted Privacy Principles (GAPP). The GAPP facilitate management of privacy policies and programs on a local, national and
international level. Accountants, among other professionals, face a number of differing privacy legislation and regulations. The
GAPP offers a comprehensive framework for designing an effective, privacy program that can be applied in a number of industries
and professions.

Canadian Institute of Chartered Accountants

The Canadian Institute of Chartered Accountants (CICA) consists of about 75,000 Chartered Accountants and 12,000 students
in Canada and Bermuda. Its mission is to foster public confidence in the Chartered Accountant profession. As such, the CICA
carries out research into current business issues and supports setting accounting, auditing and assurance standards in business,
not-for-profit organizations and government. The CICA represents the Chartered Accountant profession nationally and
internationally.

American Institute of Certified Public Accountants

The American Institute of Certified Public Accountants (AICPA) has been involved with the accounting profession since 1887.
It is the national, professional organization for Certified Public Accountants and it endeavors to provide members with resources,
information and leadership to help them provide their services in the most professional manner. The AICPA works with state
Certified Public Accountant organizations.

In order to meet its objectives, the AICPA fulfills the following functions:

Advocacy
Certification and licensing
Communications
Recruiting and education
Standards and performance

Generally Accepted Privacy Principles

The GAPP present a comprehensive framework that assists Chartered Accountants and Certified Public Accountants in creating
an effective privacy program for managing and preventing privacy risks. It was developed through joint consultation with the CICA
and the AICPA through the AICPA/CICA Privacy Task Force.

The GAPP are to be used by any organization as part of an effective privacy program. It may be used to address privacy risks,
obligations and business opportunities, or by boards responsible for governance and oversight. The GAPP offer a useful resource
for those who:

implement and manage security or privacy in an organization

oversee and monitor privacy and security programs
oversee and manage risks and compliance in an organization
assess compliance and audit privacy and security programs
regulate privacy

The GAPP were previously known as the AICPA/CICA Privacy Framework and is founded on a single privacy principle, being that
personal information must be collected, used, retained and disclosed in compliance with the commitments in the entity’s privacy
notice and with criteria set out in the GAPP issued by the AICPA/CICA. This privacy objective is supported by ten main principles
and over seventy objectives, with associated measurable criteria.

The GAPP are crucial for the appropriate protection and management of personal data. The principles are based on internationally
agreed upon fair information practices. They incorporate privacy laws and regulations from various jurisdictions around the world
and encourage the implementation of good privacy practices from a business perspective.

Ten Principles
The ten Generally Accepted Privacy Principles and their criteria are:

1. Management

The organization defines, documents, communicates and assigns accountability for its privacy policies and procedures.
Criteria:
privacy policies define and document all ten GAPP
review and approval of changes to privacy policies conducted by management

1 of 4 02-09-2015 11:32
Generally Accepted Privacy Principles (GAPP) « CIPP Guide https://www.cippguide.org/2010/07/01/generally-accepted-privacy-pri...

risk assessment process in place to establish a risk baseline and regularly identify new or changing risks to personal
data
infrastructure and systems management takes into consideration impacts on personal privacy
privacy awareness training

2. Notice

The organization provides notice of its privacy policies and procedures. The organization identifies the purposes for which
personal information is collected, used and retained.
Criteria:
communication to individuals
provision of notice
use of clear and conspicuous language

3. Choice and consent

The organization describes the choices available to the individual. The organization secures implicit or explicit consent
regarding the collection, use and disclosure of the personal data.
Criteria:
communicating the consequences of denying/withdrawing consent
consent for new purposes/uses of the personal data
explicit consent for sensitive data
consent for online data transfer

4. Collection

Personal information is only collected for the purposes identified in the notice (see #2).
Criteria:
document and describe types of information collected and methods of collection
collection of information by fair and lawful means, including collection from third parties
inform individuals if information is developed or additional information is acquired

5. Use, retention and disposal

The personal information is limited to the purposes identified in the notice the individual consented to. The organization
retains the personal information only for as long as needed to fulfill the purposes, or as required by law. After this period, the
information is disposed of appropriately.
Criteria:
systems and procedures in place to ensure personal information is used, retained and disposed appropriately

6. Access

The organization provides individuals with access to their personal information for review or update.
Criteria:
confirmation of individual’s identity before access is given to personal information
personal information presented in understandable format
access provided in reasonable time frame and at a reasonable cost
statement of disagreement; the reason for denial should be explained to individuals in writing

7. Disclosure to third parties

Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the
individual.
Criteria:
communication with third parties should be made known to the individual
information should only be disclosed to third parties that have equivalent agreements to protect personal information
individuals should be aware of any new uses/purposes for the information
the organization should take remedial action in response to misuse of personal information by a third party

8. Security for privacy

Personal information is protected against both physical and logical unauthorized access.
Criteria:
privacy policies must address the security of personal information
information security programs must include administrative, technical and physical safeguards
logical access controls in place
restrictions on physical access
environmental safeguards
personal information protected when being transmitted (e.g. mail, internet, public or other non-secure networks)
security safeguards should be tested for effectiveness at least once annually

9. Quality

2 of 4 02-09-2015 11:32
Generally Accepted Privacy Principles (GAPP) « CIPP Guide https://www.cippguide.org/2010/07/01/generally-accepted-privacy-pri...

The organization maintains accurate, complete and relevant personal information that is necessary for the purposes
identified.
Criteria:
personal information should be relevant for the purposes it is being used

10. Monitoring and enforcement

The organization monitors compliance with its privacy policies and procedures. It also has procedures in place to address
privacy-related complaints and disputes.
Criteria:
individuals should be informed on how to contact the organization with inquiries, complaints and disputes
formal process in place for inquires, complaints or disputes
each complaint is addressed and the resolution is documented for the individual
compliance with privacy policies, procedures, commitments and legislation is reviewed, documented and reported to
management

These ten principles can be applied by organizations to establish and manage privacy programs. Developing a privacy program
requires the following activities:

Strategizing

Strategizing is about long-term direction and prosperity. A strategic vision defines the organization’s culture and helps
determine how the organization will interact with customers, competitors, and legal, social and ethical issues.
Establishing a strategy with an eye to the privacy principles helps the organization to incorporate its privacy goals.

Diagnosing

This involves assessment and includes analysis of the organization’s environment, identifying where weaknesses,
vulnerabilities and threats may exist.
At this stage, the organization evaluates itself against its privacy goals and determines to what extent the organization is
currently achieving its goals and objectives.
As a legislative-neutral benchmark, the GAPP can allow organizations to assess its current privacy standards against its
desired standards and practices.

Implementing

This step involves developing and documenting a privacy program and action plan. It also involves all the tasks necessary
to make the action plan operational.
At the end of this step, the organization should have the following prepared:
Systems, procedures, processes to address desired privacy requirements
Privacy compliant forms, brochures, contracts
Internal/external privacy awareness programs

Sustaining and Managing

This is the process of monitoring work to identify how the practice differs from the action plan. This gives the organization
an opportunity to initiate corrective action.
Monitoring refers to the management policies, processes and technologies that help facilitate compliance with privacy
policies.
The GAPP can be applied to develop necessary reporting criteria and to ensure that the parties who are receiving the
information are entitled to do so.

Internal Privacy Audit

This provides objective assurance and consultation in order to add value and improve upon an organization’s operations.
Auditors can use the GAPP as a benchmark for reporting back to management.

External Privacy Audit

This refers to Certified Public Accountants and Chartered Accountants who perform assurance services in order to build
trust and confidence for individuals, management, customers, business partners and other stakeholders.
Auditors can evaluate using the GAPP and provide reports.

The above principles and associated criteria offer organizations and professionals with a basis for designing, implementing,
maintaining and evaluating their privacy program.

Summary
This article describes how the need for privacy protection tools and frameworks in the Chartered Accountant/Certified Public
Accountant profession led to the development of a comprehensive framework for privacy policies and programs. The article
outlines the ten key principles of the GAPP (Generally Accepted Privacy Principles) and explores the associated criteria and
stages in the creation of an effective privacy program.

3 of 4 02-09-2015 11:32
Generally Accepted Privacy Principles (GAPP) « CIPP Guide https://www.cippguide.org/2010/07/01/generally-accepted-privacy-pri...

CIPP/C Preparation
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with
topics related to this post, including:

Model codes and cooperation – AICPA/CICA Generally Accepted Privacy Principles (GAPP) (III.B.i.i.)

July 1st, 2010 | Tags: AICPA, Canada, CICA, CIPP/C, GAPP, USA | Category: CIPP, Compliance & Regulations

1 comment to Generally Accepted Privacy Principles (GAPP)

Kevin Lam
May 5th, 2014 at 12:45 pm
Hi, I wrote an article on how CPA firms (who aren’t already security/privacy experts) can implement the
security/privacy items from the GAPP checklist since this is still a concern for CPAs in 2014:

http://www.goironbox.com/cpa-privacy-checklist-cheatsheet/
Thanks,

–Kevin

4 of 4 02-09-2015 11:32