Generally Accepted Privacy Principles in WebTrust Engagements 


    Frequently Asked Questions about GAPP and WebTrust Engagement

    A computer mouse to search for GAPP and WebTrust Engagements
    These frequently asked questions provide suggestions and clarifications on the application of GAPP in attestation engagements, with emphasis on those engagements in which the superseded Trust Services’ online privacy principle and criteria were used previously. This includes WebTrust Online Privacy and other Trust Services engagements. In addition, these FAQs address questions posed on GAPP and SAS No. 70. The responses represent views expressed by the AICPA/CPA Canada Privacy Task Force and do not necessarily represent the official views of the American Institute of Certified Public Accountants (AICPA) or CPA Canada.

    Frequently Asked Questions about GAPP and Trust Services 

    Introduction

    Generally Accepted Privacy Principles (GAPP) are privacy principles and criteria have been developed by AICPA and CPA Canada to assist organizations in creating an effective privacy program that addresses their privacy risks and business opportunities. GAPP can be used by organizations to perform privacy strategic and business planning, privacy gap and risk analysis, benchmarking, privacy policy design and implementation, performance measurement, and to monitor and audit privacy programs. GAPP consists of ten generally accepted privacy principles, supported by criteria, based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and recognized good privacy practices.  

    The WebTrust service is one of several types of Trust Services engagements and is an attestation examination of management’s assertions related to a e-commerce based business segment. Upon attainment of a CPA practitioner’s unqualified attestation report, the entity may choose (under certain conditions) to display a WebTrust Seal and an accompanying practitioner’s report on its Web site.   The attestation examination requires the use of AICPA AT101 Standards. GAPP supersedes the online privacy principle and criteria that were used in a WebTrust engagement and is broader in scope (for example, they can be applied to an entire enterprise, not just the e-commerce based business segment).

    These Frequently Asked Questions (FAQs) provide suggestions and clarifications on the application of GAPP in attestation engagements, with emphasis on those engagements in which the superseded Trust Services’ online privacy principle and criteria were used previously. This includes WebTrust Online Privacy and other Trust Services engagements. In addition, these FAQs address questions posed on GAPP and SAS No. 70. The responses represent views expressed by the AICPA/CPA Canada Privacy Task Force and do not necessarily represent the official views of the American Institute of Certified Public Accountants (AICPA) or CPA Canada.      


    Relationship of GAPP and Trust Services


    Question 1 – GAPP and Webtrust

    Can GAPP be used in a WebTrust engagement?  

    Yes - The privacy criteria in GAPP have now been incorporated into Trust Services Principles, Criteria and Illustrations for use in a WebTrust engagement. Please refer to Appendix C of the CPA/CA practitioner version of Generally Accepted Privacy Principles on the AICPA website.     

    When the privacy engagement relates to an online segment, an entity may choose to display a WebTrust Online Privacy seal. For these engagements, the scope needs to include, as a minimum, an online business segment of the entity.  


    Question 2 - GAPP and SysTrust

    Can GAPP be used in a SysTrust engagement?

    GAPP can not be used in a SysTrust engagement. A SysTrust engagement focuses on controls within one defined system.   A privacy attestation engagement (such as WebTrust), on the other hand, focuses on protection of personal information throughout lifecycle (i.e., from collection through destruction) within the business or business segment, as defined by the terms of the engagement.   This often involves more than one system.


    Question 3 - wording of WebTrust online privacy report

    How would a WebTrust online privacy report be worded using GAPP?

    See Appendix A (below) to these FAQs.


    Question 4 - scope of a WebTrust online privacy audit

    What is the scope of a WebTrust online privacy audit using GAPP?

    As set out in Appendix C (below) of the CPA/CA practitioner version of "Generally Accepted Privacy Principles”:

    • The scope of the engagement can cover (1) either all personal information or only certain identified types of personal information, such as customer information or employee information, and (2) all business segments and locations for the entire entity or only certain identified segments of the business (such as retail operations, but not manufacturing operations or such as only operations originating on the entity’s Web site) or geographic locations (such as only Canadian operations). In addition:

    • The scope of the engagement generally should be consistent with the description of the entities and activities covered in the privacy notice (see GAPP Criterion 2.2.2). The scope often could be narrower, but ordinarily not broader, than that covered by the related privacy notice.

    • The scope of the engagement should cover all of the activities in the “information lifecycle” for the relevant personal information. These should include collection, use, retention, disclosure and destruction, de-identification or anonymization. Defining a segment that does not include this entire cycle could be misleading to the user of the practitioner’s report.

    • If the identified personal information included in the scope of the examination is commingled with other information not in the scope of the engagement, the privacy assurance engagement needs to cover controls over all of the information from the point of commingling forward.

    • Using the above guidance, a report can be issued on an online system as an identified business segment subject to the provisions in the preceding three bullets.

    Using the above guidance, a report can be issued on an online system as an identified business segment subject to the provisions in the preceding three bullets.


    Question 5 –the examination and report coverage of all ten privacy principles

    In a WebTrust online privacy engagement, does the examination and report need to cover all ten privacy principles?

    Yes - Generally Accepted Privacy Principles are founded on the following privacy objective.

    Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CPA Canada .

    This privacy objective is equivalent to a single Trust Services Principle (e.g., Security, Availability). This privacy objective can only be met through an examination and meeting of the ten privacy principles.  

    As set out in Appendix C of the CPA/CA practitioner version of "Generally Accepted Privacy Principles:

    “A privacy assurance report ordinarily covers all ten principles. All of their relevant criteria need to be met during the period covered by the report to issue an unqualified report.”  


    Question 6 – online segment vs. privacy notice

    For a WebTrust online privacy engagement, what is the difference between the description of the online segment covered by the examination (set out in the practitioner’s report) and the organization’s privacy notice (typically referenced from its web site)?

    They are entirely different in purpose. The privacy notice provides information as to the organization’s privacy policies that are disclosed as being in place. The description of the online segment provides the description of the online business segment being subjected to examination.

    In a WebTrust engagement, the practitioner is engaged to examine both that an entity maintained effective controls over the system under review (in this case, GAPP), and that it complied with its commitments regarding the stated Trust Services Principle(s) (in this case, its disclosures in its privacy notice).  

    Ideally, when using GAPP for the online engagement, organizations may consider having a separate privacy notice covering the systems subject to examination to reduce any confusion.  


    Question 7- relationship between Trust Services, GAPP, and WebTrust

    What is the relationship between Trust Services, GAPP, and WebTrust?

    Trust Services are a set of professional assurance and advisory services based on a common framework to address the risks and opportunities of Information Technology. It includes the following principles and criteria:

    • Security

    •  Availability

    •  Processing Integrity

    •  Confidentiality

    •  Privacy


    GAPP
    represents the related principles and criteria for Privacy in this framework.  

    The WebTrust service consists of an examination of an e-commerce based business segment and, upon attainment of an unqualified assurance report, allows the entity to display a WebTrust Seal and an accompanying practitioner’s report on its Web site.   As discussed in question 1, WebTrust Online Privacy is likewise an examination of an online business segment and, upon attainment of an unqualified assurance report, an entity may choose to display a WebTrust Online Privacy seal. 
     

    Question 8 – resource guidance

    Where can I find resource guidance for Trust Services and Privacy Services?

    The CPA Canada Reference Database offers the following products for Privacy Services:

    • Protecting Your Money, Privacy and Identity from Theft, Loss and Misuse – No. 02960

    •  20 Questions a Small Business Should Ask About Privacy – No. 04000015

    •  20 Questions Directors Should Ask About Privacy – No. 04000014

    •  Solutions for Today's Privacy Issues – No. 02980

     

    Question 9 - WebTrust Consumer Protection Seal existence

    The WebTrust Consumer Protection Seal was available in the past for entities that met the Trust Services Processing Integrity and Online Privacy Principles. Can this seal continue to be issued?

    No.

    This special seal and related practitioner’s report was seldom used and is now discontinued. However, a WebTrust seal, without the “Consumer Protection” designation could still be issued.


    Question 10 – issuance of combined report

    Can you issue one combined report on Privacy (using GAPP) and another Trust Services principle (such as availability)?

    Yes, but the task force does not recommend a combined report in this scenario. Since privacy needs to address the entire information cycle from collection to destruction there are often several systems involved.   Unless the other principle (i.e., availability in this scenario) also covers all systems involved in the entire information lifecycle, a combined report ordinarily would be overly complex and difficult for a user to understand.  It is preferable to issue two separate reports that can be linked by a common seal.


    Relationship of GAPP to SAS No. 70


    Question 11 – GAPP in a SAS No. 70 engagement

    Can GAPP be used as a basis for a SAS No. 70 engagement?

    No – SAS No. 70 reports are intended to focus on the effectiveness of controls at a service organization as they relate to a user organization’s financial reporting.   It would be unusual for privacy controls to relate to financial reporting.   However, GAPP could be used as a basis for a report under AT101 that contains supplemental information similar to that in a SAS No.  70 report.


    Question 12 – comparison of Trust Services Principles

    Can you summarize how the various types of Trust Services principles and criteria relate to the different services?

    See table below.

     

    Attestation Engagement With No Seal or Other AICPA Branding

      Trust Services

    SAS No. 70

    Principles:

     

    SysTrust

    WebTrust

     SAS No. 70

    Availability

    Yes

    Yes

    Yes

    No

    Security

    Yes

    Yes

    Yes

    Yes, but only for control objectives related to financial reporting.

    Process integrity

    Yes

    Yes

    Yes

    Yes but only for  control objectives related to financial reporting

    Confidentiality

    Yes

    Yes

    Yes

    No

    Privacy - GAPP

    Yes

    No

    Yes

    No

    System

     

     

    Any system described in system description

    Online system

    Financial systems as described in system description

    Seal

    No seal

    SysTrust Logo can be licensed for use

    WebTrust Logo can be licensed for use

     

     

    Public Report

    Yes

    Yes

    Yes

    No

    Other

     

     

     

     

     

     

     

     

     

    User control considerations included. Description of audit tests performed and results of those tests is included in a type 2 report.


    Appendix A
    - Illustrative Independent Practitioner’s WebTrust Report
    Illustration 1 —Reporting on Management’s Assertion

    Independent Practitioner's WebTrust  Privacy Report

    To the Management of ABC Company, Inc.:

    We have examined ABC Company, Inc.’s (ABC Company) management assertion that, during the period Xxxx xx, 2006 through Yyyy yy, 2006, it:

    • Maintained effective controls over the privacy of personal information collected in its ______________ [description of activities covered, for example “the mail-order catalog-sales operations”] business (the Business) to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice related to the Business and with criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants, and
    • Complied with its commitments in its privacy notice.

    This assertion is the responsibility of ABC Company’s management. Our responsibility is to express an opinion based on our examination.

    Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of ABC Company’s controls over the privacy of personal information, (2) testing and evaluating the operating effectiveness of the controls, (3) testing compliance with ABC Company’s commitments in its privacy notice, and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

    In our opinion, ABC Company’s management assertion that, during the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company:

    • Maintained effective controls over privacy of personal information collected in the Business to provide reasonable assurance that the personal information was collected, used, retained and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in Generally Accepted Privacy Principles; and

    • Complied with its commitments in its privacy notice,

    • is, in all material respects, fairly stated. 

    O 

    In our opinion, ABC Company’s management assertion referred to above is fairly stated, in all material respects, in conformity with ABC Company’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles.

    Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls.

    ABC Company’s use of the WebTrust Seal constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance.

    [ Name of CPA firm]                                                              

    Certified Public Accountants

    [ City, State]

    [ Date]

    Notes to illustrative reports prepared Under AICPA Standards.

    1. When issuing a report on another Trust Services product (e.g., WebTrust), the practitioner modifies the title of the report accordingly 

    2. When management’s assertion accompanies the practitioner’s report, the first sentence of the scope paragraph would be modified accordingly (e.g., “We have examined the accompanying management assertion…”) 

    3. For reports covering the Processing Integrity Principle, the practitioner should add the following as a final paragraph: “This report does not include any representation as to the quality of ABC Company’s goods [information or services] nor their suitability for any customer’s intended purpose.” The practitioner may also include such paragraph in his or her report in other circumstances.

    Illustrative Management Assertion

    During the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company, in all material respects:

    • Maintained effective controls over the privacy of personal information collected in our _________business [ description of the activities covered, for example “the mail-order catalog-sales operations”] (the Business) to provide reasonable assurance that the personal information was collected, used, retained and disclosed in accordance with our commitments in the privacy notice related to the Business and with the criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants , and

    • Complied with our commitments in our privacy notice.

    Illustration 2—Reporting Directly on the Subject Matter  

    Independent Practitioner's WebTrust Privacy Report

    To the Management of ABC Company, Inc.:

    We have examined (1) the effectiveness of ABC Company, Inc.’s (ABC Company) controls over the personal information collected in its _______ [ description of the activities covered, for example “the mail-order catalog-sales operations”] business (the Business) to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants, and (2) ABC Company’s compliance with its commitments in its privacy notice related to the Business during the period Xxxx xx, 2006 through Yyyy yy, 2006. ABC Company’s management is responsible for maintaining the effectiveness of these controls and for compliance with its commitments in its privacy notice. Our responsibility is to express an opinion based on our examination.

    Our examination was conducted in accordance with attestation standards established by the AICPA and, accordingly, included (1) obtaining an understanding of ABC Company’s controls over the privacy of personal information, (2) testing and evaluating the operating effectiveness of the controls, (3) testing compliance with ABC Company’s commitments in its privacy notice, and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

    In our opinion, during the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company, in all material respects (1) maintained effective controls over privacy of personal information collected in the Business to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in Generally Accepted Privacy Principles; and (2) complied with its commitments in its privacy notice.

    Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls.

    ABC Company’s use of the WebTrust Seal constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance.

    [ Name of CPA firm]                                                         

    Certified Public Accountants

    [ City, State]

    [ Date]

    See Notes to illustrative reports prepared Under AICPA Standards.




    A A A


     
    Copyright © 2006-2014 American Institute of CPAs.