Frequently Asked Questions About Privacy Services 


    This article presents a series of frequently asked questions regarding privacy and privacy services.

    Privacy Services FAQ

    The privacy services checklistWhat is privacy?
    Privacy is defined in Generally Accepted Privacy Principles (GAPP) as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure and disposal of personal information.” One of today’s key business imperatives is maintaining the privacy of personal information collected and held by an organization. As business systems and processes become increasingly complex and sophisticated, growing amounts of personal information are being collected. Because more data is being collected and held, most often in electronic format, personal information may be at risk to a variety of vulnerabilities, including loss, misuse, unauthorized access, and unauthorized disclosure. Those vulnerabilities raise concerns for organizations, governments, individuals, and the public in general.

    What are generally accepted privacy principles?
    Generally Accepted Privacy Principles (GAPP) has been developed from a business perspective, referencing some, but by no means all, significant local, national and international privacy regulations. GAPP operationalizes complex privacy requirements into a single privacy objective that is supported by 10 privacy principles. Each principle is supported by objective, measurable criteria that form the basis for effective management of privacy risk and compliance in an organization. Illustrative policy requirements, communications, and controls, including monitoring controls, are provided as support for the criteria.

    What is personal information?
    Personal information (sometimes referred to as personally identifiable information) is information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual. Individuals, for this purpose, include prospective, current, and former customers, employees, and others with whom the entity has a relationship. Most information collected by an organization about an individual is likely to be considered personal information if it can be attributed to an identified individual. Some examples of personal information are as follows:

    • Name
    • Home or e-mail address
    • Identification number (for example, a Social Security or Social Insurance Number)
    • Physical characteristics
    • Consumer purchase history

    Some personal information is considered sensitive and therefore prone to abuse if handled improperly. Sensitive personal information might include information on medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and sexual preference. 

    What is the relationship between Generally Accepted Privacy Principles and the Trust Services Principles and Criteria?
    Generally accepted privacy principles are part of the AICPA and CPA Canada Trust Services Principles and Criteria that are based upon a common framework (that is, a core set of principles and criteria) to provide professional attestation or assurance and consulting or advisory services. The Trust Services Principles and Criteria were developed by volunteer task forces under the auspices of the AICPA and CPA Canada. The other trust services principles and criteria are:
    Security. The system is protected against unauthorized access (both physical and logical).
    Availability. The system is available for operation and use as committed or agreed.
    Processing integrity. System processing is complete, accurate, timely, and authorized.
    Confidentiality. Information designated as confidential is protected as committed or agreed.
    These are discussed more fully at Trust Services.

    What is privacy-related risk?
    The specific risks of being noncompliant, having an inadequate privacy policy, or having a good privacy policy that is not properly implemented are:

    • Damage to the organization’s reputation, brand, or business relationships
    • Legal liability and industry or regulatory sanctions
    • Charges of deceptive business practices
    • Customer or employee distrust
    • Denial of consent by individuals to have their personal information used for business purposes
    • Lost business and consequential reduction in revenue and market share
    • Disruption of international business operations
    • Liability resulting from identity theft

    What are value-added privacy services?
    Assurance practitioners can provide a number of value-added services, for example:

    • Developing a privacy strategy
    • Providing privacy advice and training
    • Reviewing privacy policies
    • Assessing and managing privacy risk
    • Facilitating the development and implementation of controls for a privacy compliance program
    • Providing assurance on the effectiveness of privacy control systems
    • Conducting a privacy assurance engagement in accordance with GAPP

    What skill sets do CPAs need to succeed in privacy engagements?
    CPAs should be well versed in privacy law and be able to evaluate an entity’s compliance level. To help an organization become privacy compliant, CPAs must understand how it gathers, uses, stores, discloses and disposes customer/client data. CPAs should assemble a versatile team to design a plan to identify data protection deficiencies, create a strategy and implement and monitor the plan for compliance. Team members should represent various parts of the organization including legal, internal auditing, risk management, finance, information security, human resources and operations. The complexity and evolution of privacy regulations can make it difficult for organizations to ensure their computer systems, business practices, corporate policies and administrative processes are fully compliant. CPAs experienced in these settings who are also conversant with the latest regulatory developments can help their clients or employers identify and address situations and factors that threaten privacy. These are valuable skills in today’s business environment, where any organization that breaches privacy regulations or fails to meet the public’s confidentiality expectations will lose customers, suffer adverse press and perhaps face litigation and/or penalties as a result of individuals filing complaints with federal or state agencies such as the Federal Trade Commission.
    Privacy is defined in Generally Accepted Privacy Principles (GAPP) as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure and disposal of personal information.” One of today’s key business imperatives is maintaining the privacy of personal information collected and held by an organization. As business systems and processes become increasingly complex and sophisticated, growing amounts of personal information are being collected. Because more data is being collected and held, most often in electronic format, personal information may be at risk to a variety of vulnerabilities, including loss, misuse, unauthorized access, and unauthorized disclosure. Those vulnerabilities raise concerns for organizations, governments, individuals, and the public in general.




    A A A


     
    Copyright © 2006-2014 American Institute of CPAs.