Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information. Privacy is a risk management issue for all organizations, and many are looking to CPA firms for privacy solutions.
CPAs are adept at performing comprehensive risk assessments for businesses and developing risk management solutions that can give companies competitive marketplace advantages.
Privacy is included in these risk assessments, and CPAs use a universal framework of privacy best practices against which the company's privacy policies can be examined. CPAs can provide guidance to the organizations they serve by using the Generally Accepted Privacy Principles (GAPP) to help assess their privacy-related risks as well as to develop sound privacy policies and practices.
The Privacy Act of 1974 prohibits federal government agencies from disclosing any personal information about an individual without consent, except in certain circumstances such as: law enforcement purposes; census activities; and necessary circumstances for a government to conduct its business. The Privacy Act of 1974 applies to federal government agencies, as well as businesses that are contractors for a federal government agency and that collect, maintain, process, or transmit data.
The American Institute of Certified Public Accountants (AICPA) has developed a series of assurance and advisory services. These services are focused on building trust and confidence in businesses and are a natural extension of the CPA's auditing and information technology consulting functions. One of the services is focused on privacy of personal information. The AICPA and the Canadian Institute of Chartered Accountants (CICA) have formed the AICPA/CICA Privacy Task Force, which has developed privacy best practices and related services to help organizations manage privacy risk and implement good privacy practices.
Frequently Asked Questions About Privacy Services page
Visit the
Privacy Services page for additional information.
| Federal State and Other Professional Regulations |
CPAs engaged to perform privacy advisory services and attestation engagements must follow the pertinent, laws, rules, and standards. This resource section provides an overview of developments on information privacy in the United States. It reviews the Safe Harbor Agreement with the European Union, Privacy Act of 1974, Electronic Freedom of Information Act 1996, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, and Children's Online Privacy Protection Act. It also includes various State regulations and the IRS Code.
Visit the
Federal, State and Other Professional Regulations for additional information.
In addition to Federal regulations, more than forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted privacy regulations requiring that companies and/or state agencies disclose to consumers security breaches involving personal information.
The
State Security Breach Laws were enacted to protect the confidential personal information of consumers.
| International Regulations |
This section provides an overview of international developments on information privacy. It reviews initiatives by the Organization for Economic Co-operation Development (OECD) and by the European Union (EU). It also reviews specific initiatives by Australia, Canada, New Zealand, and the United Kingdom.
Visit the
International Regulations page for additional information.
| Generally Accepted Privacy Principles |
The AICPA and the Canadian Institute of Chartered Accountants (CICA) have formed the AICPA/CICA Privacy Task Force, which has developed the Generally Accepted Privacy Principles (GAPP). This document supersedes the AICPA and CICA Privacy Framework. Using GAPP, CPAs can help organizations design and implement sound privacy practices and policies. These principles and criteria were developed and updated by volunteers who considered both current international privacy regulatory requirements and best practices. These principles and criteria were issued following the due process procedures of both institutes, which included exposure for public comment. The adoption of these principles and criteria is voluntary.
Download the
Principles and Criteria table and the Executive Overview of GAPP to start using GAPP.
Visit the
GAPP page for additional information.
The protection of sensitive information is a high priority to organizations at large. This page provides useful resources to you learn more about privacy initiatives through reports, articles and other sources including National Institute of Standards and Technology documents.
Privacy Principles Scoreboard
The AICPA Privacy Principles Scoreboard tool is designed to help organizations and the CPAs that serve them reach a new level of best practice in the assessment and management of privacy.
Cloud Computing and Privacy
This page contains resources for cloud computing and privacy.
Identity Theft Resources
Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in a way that involves fraud or deception, typically for economic gain.
FTC Identity Theft Resources for Businesses
The Federal Trade Commission (FTC) has compiled resources to help organizations secure the personal information they collect and prevent identity theft.
Visit the
Privacy Resources page for additional information.