Major Changes Made to Generally Accepted Privacy Principles 

DISCLAIMER: Recent changes to Trust Services Principles (TSP) section 100, supersede Appendix C - GAPP section100A. These privacy pages have not been updated to reflect those changes nor the recent changes for privacy in US jurisdictions or in Europe.  Generally Accepted Privacy Principles (GAPP) can be used as a management framework for privacy.

Summary of Major Changes Made to GAPP



Summary of Change


1.2.3 Personal Information Identification and Classification

New criterion that requires (1)  identification of the types of personal information and sensitive personal information and the related processes, systems and third parties involved in the handling of such information and (2) that such information is covered by the entity’s privacy and security policies.


1.2.4 Risk Assessment

New criterion that requires an entity to use a risk assessment process to establish a risk baseline and to at least annually identify new or changed risks to personal information.


1.2.6 Infrastructure and Systems Management

Expanded criterion that now restricts the use of personal information in process and systems testing.


1.2.7 Privacy Incident and Breach


New criterion that requires a documented privacy incident and breach management program to be implemented and sets forth the minimum requirements for such a program.


1.2.10 Privacy Awareness and Training

New criterion that requires an entity to provide a privacy awareness program on its privacy policies and related matters, and specific training for selected personnel.  This requirement was previously covered by other criteria, which have now been moved combined into one criterion.


4.2.4 Information Developed about Individuals

New criterion that requires an entity to inform individuals if the entity develops or acquires additional information about them for its use.

Use, Retention, and Disposal

Principle was modified to include the disposal of personal information.

Use, Retention, and Disposal

5.2.3 Disposal, Destruction and Redaction of Personal Information

New criterion that requires personal information which is no longer retained, to be anonymous, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.


6.2.7 Escalation of Complaints and Disputes

This criterion was removed due to duplication in 10.2.2 Dispute Resolution and Recourse.

Security for Privacy Principle

8.2.1. The Information Security Program

The criterion was modified to require the security program to  address certain matters and to include references to ISO/IEC 27002:2005, Information technology—Security techniques—Code of practice for information security management.

Security for Privacy Principle

8.2.6 Personal Information on Portable Media

New criterion that requires personal information stored on portable media or devices to be protected from unauthorized access.

Monitoring and Enforcement

10.2.5 Ongoing Monitoring

New criterion that requires that an entity to have ongoing procedures for monitoring the effectiveness of controls over personal information, based on a risk assessment, and for taking timely corrective actions.


Copyright © 2006-2016 American Institute of CPAs.