Monthly Checklist Series

MONTHLY CHECKLIST SERIES

It’s a Matter of Privacy

Consumers have grown increasingly concerned about the misuse of their personal information, and regulatory bodies have been cracking down on offenders. You can see the many complaints filed against corporations on the FTC Web site at www.ftc.gov/privacy/privacyinitiatives/promises_enf.html. CPAs should advise clients or employers to familiarize themselves with U.S. privacy laws that protect consumers’ interests (see “E-Mail and the Law”) and to review their privacy policies to see whether they are adequate.

Here’s a questionnaire you can use to help an entity conduct an initial risk assessment of its information-handling activities.

Understanding privacy
What personal information about customers and employees does the organization collect and retain?

What personal data are used in carrying out business, for example, in sales, marketing, fund raising and customer relations?

What personal information is obtained from or disclosed to affiliates or third parties, for example, in payroll outsourcing?

What is the impact of U.S. privacy laws and regulations and/or international privacy requirements on the company? (This may require a legal interpretation.)

How does the organization’s business plan address the privacy of personal information?

Implementing a privacy program
To what degree is the company’s senior management actively involved in the development, implementation and/or promotion of privacy measures within the organization?

Has the entity assigned someone (for example, a chief privacy officer) the responsibility for compliance with privacy legislation?

Has the designated privacy officer been given clear authority to oversee the company’s information-handling practices?

Are adequate resources available at the company for developing, implementing and maintaining a privacy compliance system?

What privacy policies has the organization established with respect to the collection, use, disclosure and retention of personal information?

How are the policies and procedures for managing personal information communicated to employees?

How are employees with access to personal information trained in privacy protection?

Are the appropriate forms and documents required by the system fully developed?

Managing privacy risk
What specific objectives have been established in order to comply with the organization’s established privacy policies?

What are the consequences of not meeting the specific privacy objectives?

To what extent have appropriate control measures been identified and implemented?

How is the effectiveness of the privacy control measures monitored and reported?

What mechanisms are in place to effectively address failures to properly apply the company’s established privacy policies and procedures?

The results of the risk assessment will dictate whether and to what extent an entity should implement a privacy program or supplement a current one.

Source: Adapted from “Privacy Risk Assessment Questionnaire,” Privacy Matters: An Introduction to Personal Information Protection, AICPA/CICA, 2003.