Generally Accepted Privacy Principles (GAPP)

The Generally Accepted Privacy Principles (GAPP) are a set of privacy principles and guidelines that were developed by the American Institute of Certified Public Accountants (AICPA) in collaboration with the Canadian Institute of Chartered Accountants (CICA). The GAPP are intended to provide a comprehensive framework for assessing and managing privacy risks in organizations and to promote the responsible handling of personal information.

The GAPP includes 10 privacy principles that are designed to guide organizations in their efforts to protect the privacy of personal information. These principles are:

1.      Management: The organization should establish and maintain a privacy management program that includes policies, procedures, and accountability mechanisms to protect personal information.

2.      Notice: The organization should inform individuals about the collection, use, and disclosure of their personal information.

3.    Choice and Consent: The organization should provide individuals with choices about the collection, use, and disclosure of their personal information and obtain their consent.

4.      Collection: The organization should only collect personal information that is necessary for the purposes identified and should do so by lawful and fair means.

5.      Use, Retention, and Disposal: The organization should only use personal information for the purposes identified, retain it only as long as necessary, and dispose of it securely.

6.      Access: The organization should provide individuals with access to their personal information and allow them to correct any inaccuracies.

7.      Disclosure to Third Parties: The organization should only disclose personal information to third parties with the individual's knowledge and consent or where required by law.

8.      Security: The organization should take reasonable steps to protect personal information against unauthorized access, use, disclosure, and destruction.

9.      Quality: The organization should ensure that personal information is accurate, complete, and up to date.

10.   Monitoring and Enforcement: The organization should regularly monitor and review its privacy management program to ensure that it is effective and compliant with applicable privacy laws and regulations.

The GAPP provides a comprehensive framework for managing privacy risks and promoting the responsible handling of personal information. Organizations can use these principles to develop and implement privacy policies and practices that are consistent with generally accepted privacy principles and best practices.