Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Jun 14, 2007

Two more privacy resources

Thanks to a reply to a question on the IIA's IT Audit discussion board, I have discovered two useful privacy resources.

Firstly, the IIA's Global Technology Audit Guide (GTAG) number 5 covers Managing and Auditing Privacy Risks which
"is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks which help to understand the basic concepts and aid in finding the right sources for more guidance regarding expectations and what works well in a variety of environments. It also covers the details on how internal auditors complete privacy assessments."

Secondly, the American Institute of Certified Public Accountants (AICPA)'s Generally Accepted Privacy Principles (GAPP) cover the following ten key privacy issues:

1. Management: the organization must define, document, communicate and assign accountability for its privacy polices and procedures.

2. Notice: the organization must provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained and disclosed.

3. Choice and consent: the organization must describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4. Collection: the organization must collect personal information only for the purposes identified in the notice.

5. Use and retention: the organization must limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent.

6. Access: the organization must provide individuals with access to their personal information for review and update.

7. Disclosure to third parties: the organization must disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual.

8. Security for privacy: the organization must protect personal information against unauthorized access (both physical and logical).

9. Quality: the organization must maintain accurate, complete and relevant personal information for the purposes identified in the notice.

10. Monitoring and enforcement: the organization must monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes.

Anyone familiar with the EU's data protection principles will probably recognize the commonality with GAPP.