Best Practices for Development and Administration of Privacy Programs

An effective privacy program is one that simultaneously addresses privacy risks and business opportunities.  As time has gone by there has been an emerging consensus on what constitutes “best practices” with respect to collection, use, retention, disclosure and destruction of personal information and companies should incorporate these principles into the planning and administration of their privacy programs.  The following criteria included in the Generally Accepted Privacy Principles issued by the AICPA/CIPA are based on internationally recognized practices that have already been incorporated into a wide range of privacy laws and regulations in the United States and around the world and into recognized guidelines recommended by industry and trade organizations:

  1. Management: A company defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
  2. Notice: The company provide notice about its privacy policies and procedures and identifies the purposes for which any personal information is collected, used, retained, and disclosed.
  3. Choice and Consent: The company describes the choices available to the individual whose personal information is being collected and obtains and documents the implicit or explicit consent of the individual with respect to the collection, use, and disclosure of personal information.
  4. Collection:  The company collects personal information only for the purposes identified in the notice regarding its privacy policies and procedures.
  5. Use and Retention: The company strictly limits the use of personal information to the purposes identified in the notice and for which the individual has provided the implicit or explicit consent referred to above.  The company retains personal information for only as long as necessary to fulfill the stated purposes.
  6. Access: The company provides individuals with access to their personal information for review and update.
  7. Disclosure to Third Parties: The company limits disclosure of personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual referred to above.
  8. Security for Privacy: The company establishes policies and procedures for protecting personal information against unauthorized access (both physical and logical).
  9. Quality: The company complies with the policies and procedures specified in the notice by maintaining accurate, complete, and relevant personal information for the specific purposes identified in the notice.
  10. Monitoring and Enforcement:  The company regularly monitors compliance with its privacy policies and procedures and implements and enforces procedures to identify and address privacy-related complaints and disputes.

A thorough and effective privacy program includes policies, communications, procedures and controls, and evaluation criteria.  Policies include written statements developed by the company that clearly describe the intent and goals of management with respect to privacy compliance and specific requirements, responsibilities, and/or standards.  Communications include written and oral messages delivered by the company to the individuals whose personal information is at issue, internal personnel, and third parties about the company’s privacy notice and its commitments therein and other relevant information. Procedures and controls are other actions taken by the company to realize its goals and satisfy specific requirements, responsibilities, and/or standards.  Finally, evaluation criteria should be comprehensive, relevant, clear and objective, and measurable so that management can determine the effectiveness of the program and take appropriate actions to modify the program to cure shortcomings and integrate changes in applicable legal and regulatory requirements. The evaluation process should include monitoring and auditing, performance measurement and benchmarking.

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s