Local, national, and international entities have established laws, regulations, and guidelines to protect individual’s privacy. Privacy is considered being free from the observation and disturbance of others. The International Association of Privacy Professionals (IAPP) specifies further that individuals have a right to information privacy—the ability to control how one’s personal information is collected and used. Organizations must be proactive in addressing the challenges of establishing and maintaining privacy programs to safeguard personal information within their possession.
Why do we need privacy protections?
We live in the Information Age, a time that truly epitomizes Sir Francis Bacon’s catchphrase that “knowledge is power.” With a global economy driven by a digital industry that impacts nearly every aspect of our lives, businesses are constantly collecting, storing, using, and sharing consumer data and information.
Technological innovation and the power of data analytics create remarkable value, but also present new challenges. Threats to the security and privacy of personal information continue to grow as the value of information has increased. The protection of personal information is appropriately of utmost importance to many individuals and organizations around the world. Governing bodies at nearly every level have attempted to legislate and regulate activities to protect their citizenry. The Health Insurance Portability and Accountability Act (HIPAA) and the European Union’s General Data Protection Regulation are a couple of examples. Business expend a great deal of resources complying with these regulations and protecting their data.
Yet, cyber-attacks and data breaches are constantly making headlines. Just a few days ago, we learned that Equifax’s database was breached through a vulnerability on its website, potentially exposing the personal information (e.g., social security numbers, credit card numbers, driver’s license numbers, birth date, etc.) of an estimated 143 million people in North America and the United Kingdom. Even less assuring is the fact that the intrusion took place between mid-May and July, and the public announcement came nearly two months after the company became aware of it. Unfortunately, this isn’t an isolated incident. The following are some of the data breaches reported just this year:
- E-Sports Entertainment Association (ESEA) – 1.5 million records
- Xbox 360 ISO – 1.3 million users
- PSP ISO – 1.3 million users
- InterContinental Hotels Group (IHG) – 1,200 properties
- Arby’s – 1,000 restaurants
- River City Media – 393 million records
- Dun & Bradstreet – 33 million corporate contacts
- America’s JobLink – 4.8 million users
- Internal Revenue Service (IRS) – 100,000 taxpayers
- Gmail – 1 million users
- Verizon – 14 million subscribers
Experiencing such an event can be devastating to a business. Damage to the organization’s reputation and brand are significant, as are potential legal reparations. Evidenced by Blue Cross and Blue Shield / Anthem’s announced settlement of $115 million earlier this year for a 2015 data breach impacting 80 million of its customers.
GAPP Privacy: What are the Generally Accepted Privacy Principles?
Recognizing the challenges that businesses face in addressing privacy risks, the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) organized the Privacy Task Force to create a comprehensive framework that organizations could use to effectively manage their privacy risks. The Privacy Task Force considered international regulatory privacy requirements and industry best practices to develop the privacy guidance. The framework developed by the Privacy Task Force is called the Generally Accepted Privacy Principles (GAPP). The GAPP consists of ten privacy principles. The privacy principles are listed and summarized below:
- Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
- Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
- Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
- Collection. The entity collects personal information only for the purposes identified in the notice.
- Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
- Access. The entity provides individuals with access to their personal information for review and update.
- Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
- Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
- Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
- Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.
The implementation and consistent application of the GAPP privacy framework or privacy principles will enable an organization to effectively manage the collection, use, retention, disclosure, and disposal of data requiring privacy protections.
What types of information require privacy protections?
Organizations have a responsibility to keep a variety of data collected secure and private. A few of the most common types of data requiring protection are personally identifiable information (PII) and protected heath information (PHI).
PII is broadly defined as any information that can be used to identify, contact, or locate a specific person. The National Institute of Standards and Technology further specifies that PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
HIPAA defines PHI as data or documentation including the following 18 identifiers:
- Names
- Geographic identifiers (more specific than State)
- Dates specific to an individual (other than year only)
- Phone numbers
- Email addresses
- Fax numbers
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (e.g., license plate or vehicle numbers)
- Device serial numbers
- Web URLs
- IP address numbers
- Biometric identifiers (such as finger, retinal, and voice prints)
- Full face images
- Any other number, characteristic, or code unique to an individual
PHI that is created, received, stored, or transferred in an electronic form is often referred to as ePHI. The same privacy protections needed for PHI are required for ePHI.
How can your organization apply GAPP or Generally Accepted Privacy Principles?
Organizations can use GAPP to design and implement a privacy policy, create and manage an internal privacy program, and monitor its performance. There are five key components to using the GAPP principles to establish and manage a privacy program: strategize, diagnose, implement, sustain and manage, and auditing.
Strategically Design Your Privacy Program
Creating a strategy or vision for the organization’s long-term direction and prosperity helps define the culture and helps shape how the it will interact with external entities, including its customers. This process should also help develop an overall master plan based on its strategic direction. Having a clear strategy and master plan should help clarify the objective and align the organization toward it. If privacy compliance is a critical component to your organization’s success, your strategic plan should identify the long-term goals and major obstacles for becoming compliant with relevant privacy laws and regulations.
With long-term goals established, the final step of strategizing is assigning resources to execute the plan. The allocation of resources would include the identification and assignment of human, financial, and other resources for the strategic plan.
Diagnose Your Organization’s Control Environment
The diagnosis or assessment phase is critical to designing an effective privacy program. During this stage, the organization analyzes its environment to identify where weaknesses, vulnerabilities, and threats exist. The entity should not only identify potential areas for privacy risk, but should also consider processes or controls in place to address them in order to identify any gaps. An assessor may utilize the management criteria within the GAPP guidance to evaluate the entity against its privacy goals and to determine to what extent the business is achieving those goals. If an organization lacks the resources or skill-set, they may want to bring in a third-party who can perform the assessment and provide clear, actionable recommendations for the organization to address during implementation. Any gaps can and should be addressed in its plan.
Implement Your Privacy Program
Having diagnosed its environment, the organization can now create an action plan to mobilize based on the diagnostic recommendations. Leadership may utilize the illustrative controls and procedures related to the 10 privacy principles in the GAPP guidance to address gaps and recommendations related to its privacy program determined during the diagnosis phase.
The implementation phase includes the design and documenting of a privacy program and action plan to implement and manage it. The plan should clearly define privacy ownership, assign responsibility and tasks, establish an implementation schedule including major milestones, and measures of success.
Sustain and Manage the Program
The sustaining and managing phase is essentially the monitoring of the execution of the action plan to ensure that it is being performed appropriately and, if necessary, variances are identified in a timely manner to initiate corrective action. Monitoring would include the policies, processes, and supporting technology utilized to ensure compliance with privacy policies and the ability to exhibit due diligence.
Auditing to Improve and Ensure Compliance
There are two components to auditing—internal and external. Internal auditors can perform objective assessments and provide consulting services designed to add value and improve an organization’s operational efficiency. Their assessments can help the entity to accomplish its strategic objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Some organizations that need to comply with HIPAA may use internal auditors to perform a self-assessment
It is common for customers to request that their service providers’ have an independent auditor (or external auditor) assess the organization’s control environment to obtain assurance that controls are in place to provide the security and maintain the privacy of their data. Certified Public Accounting (CPA) firms can perform attestation and assurance services to build trust and confidence for individuals, management, customers, business partners, and other users. As a Certified Public Accounting firm, Linford & Company LLP specializes in the performance of SOC 2 and HIPAA compliance audits to help provide that assurance that service providers are appropriately applying GAPP.
Summary
Every organization faces a significant challenge in maintaining the security and privacy of personal information within its custody. The GAPP presents a framework of generally accepted principles and practices that an entity can employ to mitigate risk of not maintain the privacy of its information assets.
For more information on SOC audits or HIPAA Compliance Audits, read these related blog posts:
- The SOC 2 Privacy Audit
- HIPAA Retention Requirements
- New 2017 Trust Services Criteria
- Confidentiality vs. Privacy in a SOC 2
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.