Privacy Services

    Privacy Services 

    The American Institute of Certified Public Accountants (AICPA) has developed a series of assurance and advisory services. These services are focused on building trust and confidence in businesses and are a natural extension of the CPA's auditing and information technology consulting functions. One of the services is focused on privacy of personal information. The AICPA and CPA Canada have formed the AICPA/CPA Canada Privacy Task Force, which has developed privacy best practices and related services to help organizations manage privacy risk and implement good privacy practices. 

    Visit the Frequently Asked Questions About Privacy Services page for additional information.

    Privacy Responsibilities of Businesses

    The key to privacyBusinesses are responsible for identifying the principal risks of the business and implementing appropriate measures to mitigate those risks. To determine the significance of privacy risk, it is important to conduct a privacy risk assessment. The results of that assessment will dictate whether, and to what extent, a privacy program should be established.

    Personal information privacy risk can have a pervasive impact on a business. For example, it can lead to:

    damage to the reputation of the business and to business relationships;
    legal liability and sanctions;
    charges of deceptive business practices;
    customer and employee distrust;
    denial of consent to use personal information for business purposes; and
    lost business and consequential reduction in sales and profits.

    This booklet highlights key questions a business should ask with the aim of understanding privacy risk, implementing a privacy program, managing privacy risk and obtaining privacy assurance.

    Download 20 Questions Businesses Should Ask about Privacy for additional information.

    Privacy Services Prospect Checklist
    This checklist is aimed at assisting practitioners in small and medium-sized firms in focusing their marketing efforts by identifying characteristics of existing and prospective clients that will experience the greatest benefit by investing in privacy services.

    Privacy Risk Assessment Questionnaire
    This questionnaire highlights key questions businesses should ask with the aim of understanding privacy risk, implementing sound privacy policies and practices, managing privacy risk, and obtaining privacy assurance.

    Building a Privacy Practice in Small and Medium-Sized CPA Firms
    This guide serves as the first step for practitioners reviewing or considering investing time and resources in Privacy Advisory Services.

    Incident Response Plan (PDF) and Incident Response Plan (Word Document)
    This Incident Response Plan template can be used to help you design, develop, or adapt your own plan and better prepare you for handling a breach of personal information within your organization.

    Records Management

    A stack of file folders with company recordsThe Records Management: Integrating Privacy Using Generally Accepted Privacy Principles discusses the importance of designing privacy into an organization’s records management program and how that can be accomplished using Generally Accepted Privacy Principles (GAPP). This publication will: 

    explain what personal information is and why privacy is an important business issue.
    identify privacy concerns regarding records management.
    explain how GAPP can be used to integrate privacy into a records management program.

    Effective Management of your Records and Data (Podcast)
    Nancy A. Cohen, CPA.CITP, CIPP discusses the considerations for safeguarding personally identifiable information. As systems and processes become more complex and sophisticated, ever more personal information are being collected. Because more data is being collected and held, personal information may be at risk to a variety of vulnerabilities, including loss, misuse, unauthorized access, and unauthorized disclosure.

    A Privacy Checklist for CPA Firms
    This checklist provides CPA firms with practical illustrations of selected GAPP in order to maintain privacy best practices within their organizations.

    Additional Resources

    Outsourcing and Privacy: 10 Critical Questions Top Management Should Ask
    This article discusses the 10 critical questions management should ask about outsourcing and discusses specific privacy concerns associated with outsourcing.

    Sample Employee Privacy Notice
    Use this example letter of a employee privacy notice when reviewing or assisting with the preparation of a privacy policy.

    Sample Customer Privacy Notice
    Use this example letter of a customer privacy notice when reviewing or assisting with the preparation of a privacy policy.
    Copyright © 2006-2014 American Institute of CPAs.