GAPP

Generally Accepted Privacy Principles is a framework intended to assist Chartered Accountants and Certified Public Accountants in creating an effective privacy program for managing and preventing privacy risks.

It was developed through joint consultation with the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force.

The GAPP were previously known as the AICPA/CICA Privacy Framework and is founded on a single privacy principle, being that personally identifiable information must be collected, used, retained and disclosed in compliance with the commitments in the entity’s privacy notice and with criteria set out in the GAPP issued by the AICPA/CICA.

This privacy objective is supported by ten main principles and over seventy objectives, with associated measurable criteria.

This framework is frequently used in the context of  Financial Industry in USA where compliance to Gramm Leach Bliley Act (GLBA) is required.

Ten Principles

The ten Generally Accepted Privacy Principles and their criteria are:

1. Management

-The organization defines, documents, communicates and assigns accountability for its privacy policies and procedures.

2. Notice

-The organization provides notice of its privacy policies and procedures. The organization identifies the purposes for which personal information is collected, used and retained.

3. Choice and consent

-The organization describes the choices available to the individual. The organization secures implicit or explicit consent regarding the collection, use and disclosure of the personal data.

4. Collection

Personal information is only collected for the purposes identified in the notice (see #2).

5. Use, retention and disposal

The personal information is limited to the purposes identified in the notice the individual consented to. The organization retains the personal information only for as long as needed to fulfill the purposes, or as required by law. After this period, the information is disposed of appropriately.

6. Access

The organization provides individuals with access to their personal information for review or update.

7. Disclosure to third parties

Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.

8. Security for privacy

Personal information is protected against both physical and logical unauthorized access.

9. Quality

The organization maintains accurate, complete and relevant personal information that is necessary for the purposes identified.

10. Monitoring and enforcement

The organization monitors compliance with its privacy policies and procedures. It also has procedures in place to address privacy-related complaints and disputes.


P.S: This page may be updated from time to time with additional information. Discussions on this may also be covered in the articles on the site.