Privacy / Data Protection 

    Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information. Privacy is a risk management issue for all organizations, and many are looking to CPA firms for privacy solutions.

    CPAs are adept at performing comprehensive risk assessments for businesses and developing risk management solutions that can give companies competitive marketplace advantages.

    Privacy is included in these risk assessments, and CPAs use a universal framework of privacy best practices against which the company's privacy policies can be examined. CPAs can provide guidance to the organizations they serve by using the Generally Accepted Privacy Principles (GAPP) to help assess their privacy-related risks as well as to develop sound privacy policies and practices. 

    Generally Accepted Privacy Principles

    A man reads over the GAPP documentThe AICPA and CPA Canada have formed the AICPA/CPA Canada Privacy Task Force, which has developed the Generally Accepted Privacy Principles (GAPP). This document supersedes the AICPA and CPA Canada Privacy Framework. Using GAPP, CPAs can help organizations design and implement sound privacy practices and policies. These principles and criteria were developed and updated by volunteers who considered both current international privacy regulatory requirements and best practices. These principles and criteria were issued following the due process procedures of both institutes, which included exposure for public comment. The adoption of these principles and criteria is voluntary.

    Download the Principles and Criteria table and the Executive Overview of GAPP to start using GAPP.

    Visit the GAPP page for additional information.


    Privacy Resources

    A stack of privacy resourcesThe protection of sensitive information is a high priority to organizations at large. This page provides useful resources to you learn more about privacy initiatives through reports, articles and other sources including National Institute of Standards and Technology documents.

    Privacy Principles Scoreboard
    The AICPA Privacy Principles Scoreboard tool is designed to help organizations and the CPAs that serve them reach a new level of best practice in the assessment and management of privacy.

    Identity Theft Resources
    Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in a way that involves fraud or deception, typically for economic gain.

    FTC Identity Theft Resources for Businesses
    The Federal Trade Commission (FTC) has compiled resources to help organizations secure the personal information they collect and prevent identity theft.

    Visit the Privacy Resources page for additional information.

    Privacy Act of 1974

    A document on a table represents the Privacy Act of 1974The Privacy Act of 1974 prohibits federal government agencies from disclosing any personal information about an individual without consent, except in certain circumstances such as: law enforcement purposes; census activities; and necessary circumstances for a government to conduct its business. The Privacy Act of 1974 applies to federal government agencies, as well as businesses that are contractors for a federal government agency and that collect, maintain, process, or transmit data.






    Privacy Services

    A group writing down the list of privacy servicesThe American Institute of Certified Public Accountants (AICPA) has developed a series of assurance and advisory services. These services are focused on building trust and confidence in businesses and are a natural extension of the CPA's auditing and information technology consulting functions. One of the services is focused on privacy of personal information. The AICPA and CPA Canada have formed the AICPA/CPA Canada Privacy Task Force, which has developed privacy best practices and related services to help organizations manage privacy risk and implement good privacy practices.

    Frequently Asked Questions About Privacy Services page

    Visit the Privacy Services page for additional information.

    Federal State and Other Professional Regulations

    A man holds a list of federal, state and other professional regulations CPAs engaged to perform privacy advisory services and attestation engagements must follow the pertinent, laws, rules, and standards. This resource section provides an overview of developments on information privacy in the United States. It reviews the Safe Harbor Agreement with the European Union, Privacy Act of 1974, Electronic Freedom of Information Act 1996, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, and Children's Online Privacy Protection Act. It also includes various State regulations and the IRS Code.

    Visit the Federal, State and Other Professional Regulations for additional information.
    International Regulations

    A globe for international privacy regulationsThis section provides an overview of international developments on information privacy. It reviews initiatives by the Organization for Economic Co-operation Development (OECD) and by the European Union (EU). It also reviews specific initiatives by Australia, Canada, New Zealand, and the United Kingdom.

    Visit the International Regulations page for additional information.


     

     

    Copyright © 2006-2014 American Institute of CPAs.